On 01/05/2014 20:54, John Levine wrote:
Perhaps it's time for a more concrete proposal to be written down.
It occurred to me that there's a very simple way to do this:
http://datatracker.ietf.org/doc/draft-levine-may-forward/
Isn't this a bit dangerous?
I don't mean the draft - I mean what the draft suggests.
Unless I'm misunderstanding something badly, essentially all you are
doing is signing the 'From' header field. So, if I get hold of one of
those messages, I can just reproduce it and send zillions more messages
pretending to be from you all with your From header, and all 'signed
correctly'.
Maybe that's the point - the draft essentially makes clear that you
can't use DKIM from the sender to authenticate the message, as the From
header is pretty much all you can rely on staying the same (if that) by
the time the list recipient gets the message from the mailing list.
Hence trying to do this is a bad idea.
IMHO, you'd be better off just not using DKIM at all in these
situations, rather than giving out a way for people to forge mail from
you and 'sign' it.
-
Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
_______________________________________________
ietf-822 mailing list
ietf-822(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-822