At 16:40 24-03-2009, J.D. Falk wrote:
Pointing to an RFC rarely mitigates real-world concerns.
I commented on why the problem occurs. I could argue that header
field should not be present in a RFC 5322 message at the signing
stage. RFC 4871 lists some header fields that should be signed. It
also contains a list of header fields that should not be signed. The
Return-Path header field is listed in there.
If you believe this is a real-world concern that should be addressed,
you could specify that the Return-Path header field must not be
included in the signature.
NOTE WELL: This list operates according to