Suresh Ramasubramanian wrote:
Doesnt have to sign *all* - but some key fields like an authenticator
and/or received headers that stamp Received: from (foo(_at_)localhost) say
...
Yes I know dkim doesnt validate content .. grandma v/s botmaster is
reputation hijack, an entirely different kettle of fish and not
germane here.
My point was more basic than whether the signer can be subverted.
My point is that DKIM semantics do not include a statement about the
truthfulness of *any* message data, except the d= and probably the i= tags in
the DKIM-Signature: field.
It provides data integrity, for the portions covered by the hash, and it
authenticates the asserted "signing identity". It does *not* assert
authorization of the From: field.
Given the community tendency to make assumptions about DKIM that aren't in the
specification, this really is worth being extremely careful about.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html