Suresh Ramasubramanian wrote:
On Wed, Jan 28, 2009 at 7:42 PM, Dave CROCKER <dhc(_at_)dcrocker(_dot_)net>
wrote:
It provides data integrity, for the portions covered by the hash, and it
authenticates the asserted "signing identity". It does *not* assert
authorization of the From: field.
Unless the from field is signed .. and perhaps this is appropriate in
quite a few scenarios.
NO NO NO NO NO!!! A thousand times NOOOOOOO!!!!!
Including the From: field in the DKIM hash does *not* carry the semantic that
it
has valid content!!!!!
Simple example:
Mail sent through mipassoc.org, such as this DKIM wg mailing list
message,
are signed by my ISP. I guarantee you that the ISP does not evaluate whether
the From: field is authorized to be used by the author. All that a DKIM
signature means is that the "signing identity" -- in this case, mipassoc.org,
which has nothing to do with the author -- is taking some responsibility for
the
message. And the nature and degree of that responsibility is intentional left
unstated.
That's massively different from saying that particular portions of the
message are "correct".
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html