On Friday 14 July 2006 01:51, Mark Delany wrote:
Eric Allman wrote:
Folks OK with that?
-1
If a verifier has a verified email with a d= what is the fundamental
value-add on insisting that From: is a signed header? After all, a
minimalist verifier is going to query some database to ask the
question: Do I like d=?
Will that query be influenced by a From: header? I'd think not. A
minimalist verifier could care less. All they want to know is, who is
the responsible domain and how much do I like them?
It still seems to me that enforcing a From: is a vestigial attempt to
protect MUAs. But I thought we had decided that we weren't in the
business of solving that problem? Is that true?
If we are truly out of the business of protecting MUAs, then I see no
rationale for enforcing From: signing.
If we are in the business of protecting MUAs then we need to re-visit
that whole can of worms around Sender: and Resent: and all those other
potential MUA originators and triggers.
From my perspective we should be, at a minimum signing 'the message'. Since
From required by both RFCs 822 and 2822, then without including it, what is
signed isn't a valid e-mail message.
I think it's more, at this level, a question of protecting the message from
in-transit modification than protecting the MUA. So, put another way, I
think you need to sign From for the same reason you sign the body of the
message.
Scott K
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html