On Jan 17, 2008, at 2:01 PM, Jim Fenton wrote:
Dave Crocker wrote:
Yes, but suppose that the Sender header were used only when the
domain found therein matched one of those in the From.
I'm still missing a suggestion for what we use when the Sender
header field does not match any of the addresses in the From. Do we
then revert to First Author? All Authors?
Establishing compliance is a separate matter from that of establishing
policy.
If the DKIM WG adopts John Levine's suggestion, then all From domain
policies would need to be obtained. If the "first author" policy
strategy is retained, only the From domain policy of the first email-
address would be obtained.
Policy compliance for a From domain expressing either "all" or
"strict" would require a signature from that domain, irrespective of
the "on-behalf-of" header assertion. An exception might be made for
g= restricted keys, but again the WG would need to decide this as
well. IMHO, there should be an exception made for restricted keys.
Depending upon how restricted keys are handled, there might be a need
to obtain the policy of the signing domain when "all" or "strict"
assertions are intended to invalidate these signatures and when the
domain is not present within the From header. The signing domain
might be associated with any header, or no header at all. It could be
the Sender header. It could be simpler to say g= restricted keys
should only sign on-behalf-of a From email-address domain.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html