I fear you missed my point:
"Identity of the user or agent (e.g., a mailing list manager) on
behalf of which this message is signed"
does not mean that that user or agent was the author. So the value might be
wonderfully stable, but its semantics say nothing about authorship.
There is nothing in DKIM that says or implies that it makes
an assertion of valid From: field data.
Any use of DKIM for validation of From: field contents goes beyond the base
specification. For example, ADSP travels that path.
J.D. Falk wrote:
What is delivered can be verified as what was sent. But what was sent is
free to be incorrect.
With DKIM i=, it becomes possible to convey a stable identifier (though of
course there's no guarantee that the identifier is stable, leading to John's
t= suggestion.) Without DKIM (or something like it), as we know, any
potential identifiers are trivially forged.
As Suresh pointed out, DKIM doesn't convey anything about who is using
Grandma's login credentials (in the case where Grandma's login credentials
can be associated with a stable, authenticatable identifier), but I'd say
that's out of scope here.
NOTE WELL: This list operates according to