On Wednesday, June 22, 2011 01:17:16 pm Murray S. Kucherawy wrote:
-----Original Message-----
From: ietf-bounces(_at_)ietf(_dot_)org
[mailto:ietf-bounces(_at_)ietf(_dot_)org] On Behalf Of
Douglas Otis Sent: Tuesday, June 21, 2011 6:51 PM
To: ietf(_at_)ietf(_dot_)org; Barry Leiba;
iesg-secretary(_at_)ietf(_dot_)org; Sean Turner
Subject: Last Call: <draft-ietf-dkim-rfc4871bis-12.txt> (DomainKeys
Identified Mail (DKIM) Signatures) to Draft Standard
[...]
This indicates the DKIM specification is seriously flawed. While DKIM
may not offer author validation, it was intended to establish an
accountable domain for the signed message content that at a minimum
includes the From header field. There are NO valid reasons for a valid
signature to include multiple From header fields! Allowing multiple
From header fields is _EVIL_ and destroys DKIM's intended purpose as
defined by prior work.
This purported security flaw and surrounding FUD was discussed at huge
length in the working group, and consensus was clearly against the idea of
dealing with this in DKIM because it's the wrong place to address the
problem. The record, both in the issues tracker and in the working
group's archive, is quite clear about this, and both are open to public
scrutiny.
And I find the tactic of taking a lost battle from a working group to the
IETF as a whole to be akin to the "Mom said no, I'll go ask Dad!" strategy
that I outgrew by the time I was a teenager...
While I'm not thrilled by the post-4871 changes in general, I think on this
point there's not an issue. I recently worked through the multiple From case
for a DKIM implementation I'm helping on and found sufficient guidance in RFC
4871 to deal with it reasonably. This was definitely beat to death in the WG.
Scott K
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf