On Wednesday 10 January 2007 21:54, Douglas Otis wrote:
On Jan 10, 2007, at 2:19 PM, Scott Kitterman wrote:
On Wednesday 10 January 2007 17:01, Douglas Otis wrote:
The base draft requires the From header be signed. This header might
become modified for EAI compliance.
We've been through this before. IIRC, we included 2822-From
because it's a
mandatory part of the message. If you don't sign it, you didn't
sign the
message. We don't sign every other line of the body either.
At that time, it was less clear the impact of that decision. What
value exists when the From header is not associated with the signing-
domain? This again mistakenly assumes recipients will verify the
originator based upon visual inspection. What happens when there are
EAI fix-ups on messages sent through a mailing list that signs their
messages? This requirement will cause these signatures to fail for
no valid reason.
IIRC we discussed EAI at the time and it's not clear to me that anything's
changed. This has nothing to do with the originator address and everything
to do with signing the required elements of the message.
Taken to an extreme, there are reasons why any part of the message might get
changed and so we ought not sign anything.
Scott K
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html