-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Douglas Otis
Sent: Monday, October 25, 2010 2:48 PM
To: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] Proposal for new text about multiple header issues
1) During the handling of a message in conjunction with a DKIM result
that indicates a valid signature, consider as valid only those fields
and the body portion that was covered by the signature. Note that this
is not to say unsigned content is not valid, but merely that the
signature is making no statement about it.
Bad advice. There is no other email component that can be relied upon to
restore flawed DKIM verification results, nor should DKIM relegate
determination of DKIM result validity to subsequent consumers.
But neither of those was the suggestion.
3) For any header field listed in Section 3.6 of [MAIL] as having an
upper bound on the number of times it can appear, include the name of
that field one extra time in the "h=" portion of the signature to
prevent addition of fraudulent instances. Any attachment of such
fields after signing would thus invalidate the signature (see Section
3.5 and 5.4 for further discussion).
Incomplete advice. This only provides partial protection, since it does
not prevent spoofing of a From header where an attacker controls or
utilizes a domain that does not include repeated From header entries
within the h= parameter.
I'm having trouble parsing that. Please propose alternate text, or show an
example of what you're describing.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html