Hi,
At 14:25 17-11-2005, Stephen Farrell wrote:
And can't the threats document (& later, whatever relevant spec) not
just say "don't do that" and thus avoid the problem?
The DKIM draft mentions:
"Under no circumstances should an unsigned header field be displayed
in any context that might be construed by the end user as having been
signed."
It could be extended further:
The "From:" header should not be signed if it contains more than one
sending address.
Regards,
-sm
_______________________________________________
ietf-dkim mailing list
http://dkim.org