On 10/23/10 12:25 PM, Barry Leiba wrote:
On Fri, Oct 22, 2010 at 10:13 PM, Hector Santos<hsantos(_at_)isdg(_dot_)net>
wrote:
John Levine wrote:
DKIM makes no statement about the validity of a "sender" address.
d/
I guess I should have said Author address.
DKIM makes no statement about the validity of an Author address.
I keep reading this but there is no technical merit to show there is
any truth to it, and in fact the only thing that is probably the
strongest validity is the Author Address.
No matter how many times it is stated and repeated, it will never be
true. If one wants this to be true, then remove the required binding
the Author Address, A.K.A 5322.From.
No, not at all. While I think it was probably a mistake to make the
signing of ANY header fields "MUST" (we should have just put "From" in
with the other "SHOULD" fields), the fact that "From" MUST be signed
says, in itself, nothing about the *validity* of the address (nor the
display name) in that field. That's up to the signer.
Agreed, but DKIM at a minimum, requires the binding of the From header
field with that of the signature. Many consumers of DKIM results may
rely upon this binding as a basis to extend trust of a signature to
include the From header field for trustworthy sorting or display. The
signing domain, through an Out of Band method, may make assurances
about the From header field as having been authenticated to protect a
sorting or display process. Wherever the DKIM verification process
occurs, it MUST ensure there is only a single From header field to
protect these results from being trivially exploited.
It's all a question of what the signer is willing to sign. I have two
submission domains that I use. One, gmail.com, which does DKIM
signing, will only allow me to use a "From" address after it has sent
a test message to that address and seen that I can access the test
message. So it's made *some* level of confirmation that I owned the
address at the time I set it up. But there's no confirmation that I
still own the address, and there's certainly no assessment of the
display name that I associate with it. Gmail will sign mail that I
send with my old IBM addresses in the "From", though I have not worked
for IBM for over a year and a half, and no longer have any
authorization from IBM to use those addresses.
Is that "valid"?
At no time will the name be signed by IBM. Identification depends upon
each domain's name reuse policy. Some domains do not allow names to
be reused for this reason. If IBM were to decide to reuse your old
email address for a different employee, they then risk having this name
confused with the original holder of the email address. The same
problem occurs for mailing-lists and other methods that depend upon
seeing the same email-address.
But that's all outside the scope of DKIM. DKIM only provides
assurance of the *signing* domain, and that the message has arrived
substantially unchanged from when it was signed (modulo h= and c=).
Agreed.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html