Douglas Otis wrote:
On Jan 17, 2008, at 2:01 PM, Jim Fenton wrote:
Dave Crocker wrote:
Yes, but suppose that the Sender header were used only when the
domain found therein matched one of those in the From.
I'm still missing a suggestion for what we use when the Sender header
field does not match any of the addresses in the From. Do we then
revert to First Author? All Authors?
Establishing compliance is a separate matter from that of establishing
policy.
If the DKIM WG adopts John Levine's suggestion, then all From domain
policies would need to be obtained. If the "first author" policy
strategy is retained, only the From domain policy of the first
email-address would be obtained.
Yes, this is an alternative suggestion to those.
Policy compliance for a From domain expressing either "all" or
"strict" would require a signature from that domain, irrespective of
the "on-behalf-of" header assertion. An exception might be made for
g= restricted keys, but again the WG would need to decide this as
well. IMHO, there should be an exception made for restricted keys.
Depending upon how restricted keys are handled, there might be a need
to obtain the policy of the signing domain when "all" or "strict"
assertions are intended to invalidate these signatures and when the
domain is not present within the From header. The signing domain
might be associated with any header, or no header at all. It could be
the Sender header. It could be simpler to say g= restricted keys
should only sign on-behalf-of a From email-address domain.
You have brought this up several times, and you're at least a couple of
steps ahead of us. Before you do anything based on the policy
(practices), you need to decide where to look to find them. This
discussion has to do with the where-to-look part of the process.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html