On Nov 8, 2010, at 1:20 AM, Barry Leiba wrote:
2. The DKIM spec should probably say that signers need to sign valid
messages, and, therefore, SHOULD NOT sign things like this. Text
along the line of this might work well:
"Signers SHOULD take reasonable steps to ensure
that the messages they're signing are valid according to [RFC 5322,
etc]." Leaving the definition of "reasonable" out allows flexibility. It
may be waffly, but I like the approach in this case.
3. It'd be reasonable for the DKIM spec to remind verifiers that
signers aren't supposed to sign stuff like this, so they might
consider that when deciding what to do with it after verification.
It'd be reasonable to remind them of this particular case. But
I think that all ought to be informative text.
Seems unnecessary per #2 above, but I don't care all that much either way.
4. We should agree to this or some variant of it, and then move on.
This is not meant to satisfy everyone. In fact, it isn't what I'd prefer,
if I had my full choice. But it takes care of the problem in a way
that I think is sufficient, and allows us to resolve the issue.
On Nov 8, 2010, at 7:52 AM, Scott Kitterman wrote:
Rather than fall back purely on 5322, I'd prefer to see something in security
considerations that says if the count of a particular header field that is
supposed to be limited (e.g. From and Subject) present in a message exceeds
the number of signed fields, then the signature shouldn't be verified.
I'd have no objection to this either.
At this point the only strong objection I'd have would be if the consensus
measurement were based on one or two people repeatedly expressing Very Strong
Feelings while the rest (like me) mostly don't care. A "meh" result is not the
same as a yes or no.
NOTE WELL: This list operates according to