Michael Deutschmann wrote:
One additional thought on the whole double-From: argument -- if RFC
language on the issue is justified at all, it really belongs in the
ADSP RFC, not a core DKIM one.
A double-From: doesn't even rise to the level of theoretical threat
except when dealing with ADSP (or a successor).
-1, we didn't need ADSP to show it was a empirical problem here.
Remember the President Obama message?
Now of course, if ADSP was a standard and whitehouse.com had an
exclusive signing policy, receivers would of rejected the junk
distributed by Dave's list server as an ADSP violation. But ADSP is a
pipe dream.
To the core DKIM spec, "From:" isn't magic at all. Rather than
enumerate every header that might be sensitive, we should put in a
non-normative note that layered protocols should consider the issue:
Not sure what that means - the 5322.From is the single most
fundamental header in the email system. DKIM could not change that
and its why its a thorn on the side that its the one and only single
requirement for binding. At a minimum, a signature much has h=from.
This WG group has long suffered on the idea that From was a required
bind and the 3rd party trust advocates have tried to minimize that and
simple couldn't without proper logic.
The From signing requirement was based on the original framework when
POLICY was a natural part of the algorithm - the security aspects of
the protocol BROKE down when it was separated and we never got over it.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html