On 5/1/11 6:55 AM, Dave CROCKER wrote:
[...]
In other words, DKIM has nothing to do with the rfc5321.From field, and
therefore it is entirely inappropriate -- that is, out of scope -- for the
specification to suggest dealing with it.
You mean 5322.From?
And how should we read par. 3.2.2 of RFC4686 if it is out of scope for
DKIM to deal with it?
Bad acts related to email-based fraud often, but not always, involve
the transmission of messages using specific origin addresses of other
entities as part of the fraud scheme. The use of a specific address
of origin sometimes contributes to the success of the fraud by
helping convince the recipient that the message was actually sent by
the alleged author.
To the extent that the success of the fraud depends on or is enhanced
by the use of a specific origin address, the bad actor may have
significant financial motivation and resources to circumvent any
measures taken to protect specific addresses from unauthorized use.
When signatures are verified by or for the recipient, DKIM _is
effective in defending against the fraudulent use of origin addresses_
on signed messages.
Although 5322.From is not mentioned here, how can DKIM provide any level
of defense against fraudulent use of origin addresses, if d= is the one
and only mandatory output of the verification process?
Or should we declare this paragraph obsolete?
/rolf
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html