On 23/Oct/10 21:25, Barry Leiba wrote:
DKIM makes no statement about the validity of a "sender" address.
DKIM makes no statement about the validity of an Author address.
No matter how many times it is stated and repeated, it will never be
true. If one wants this to be true, then remove the required binding
the Author Address, A.K.A 5322.From.
No, not at all. While I think it was probably a mistake to make the
signing of ANY header fields "MUST" (we should have just put "From" in
with the other "SHOULD" fields), the fact that "From" MUST be signed
says, in itself, nothing about the *validity* of the address (nor the
display name) in that field. That's up to the signer.
A way to clarify this point is to say /why/ From MUST be signed. For
simplicity, I restrict my guessing to two possible reasons:
A) From MUST be signed because assuming that h= is not empty may
simplify something. The "From" header was chosen somewhat
randomly among fields that would have deserved a SHOULD anyway.
B) DKIM mandates signing From in order to pave the way for ADSP.
Indeed, ADSP semantics is largely anticipated in DKIM, although
not specified in the details.
The latter reason would require normative text to guard against double
fields in 4871bis, for consistency with RFC 4871's implicit assumptions.
IMHO, the new text in Murray's proposal would be easier to understand
if reason A, Barry's quoted paragraph above, or any similar informal
explanation were also added to the draft.
Gmail will sign mail that I send with my old IBM addresses in the
"From", though I have not worked for IBM for over a year and a
half, and no longer have any authorization from IBM to use those
addresses.
Is that "valid"?
Yes, in the sense that it is what the Author choose. More precisely:
The originator fields indicate the mailbox(es) of the source of the
message. The "From:" field specifies the author(s) of the message,
that is, the mailbox(es) of the person(s) or system(s) responsible
for the writing of the message.
It doesn't have to be a working mailbox, e.g.
noreply(_at_)example(_dot_)com(_dot_)
The responsibility that a signer claims may be delegated, e.g. "I make
no attempt at all to control my users' From: lines, since I know them
all and don't expect them to misbehave."
Even syntactical validity checks may be delegated to the Author's
client, according to message submission policies.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html