On Wed, Jan 28, 2009 at 7:42 PM, Dave CROCKER <dhc(_at_)dcrocker(_dot_)net>
wrote:
It provides data integrity, for the portions covered by the hash, and it
authenticates the asserted "signing identity". It does *not* assert
authorization of the From: field.
Unless the from field is signed .. and perhaps this is appropriate in
quite a few scenarios.
Even in cases where the from is not changeable by the end user (in a
webmail client, or corporate mail system) and is therefore yet another
header that is subject to signing? And does this go for other
alternatives such as Sender: where the envelope sender is inserted
where header from differs from envelope from?
Given the community tendency to make assumptions about DKIM that aren't in
the specification, this really is worth being extremely careful about.
That's one more reason for a use case document.
thanks
suresh
--
Suresh Ramasubramanian (ops(_dot_)lists(_at_)gmail(_dot_)com)
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html