The draft continues to make broad, onerous claims like this, but
provides no documentation to indicate that the DKIM signing specification
is flawed in the function it is performing: attaching a validated domain
name to a message.
DKIM does not, in its current form, attach a validated domain name to a
message. By adding one line "MUST NOT validate a message with multiple
From:'s", DKIM will attach a validated domain name to a message.
Here's the part of this I don't understand:
A DKIM signature does two things. It *does* attach a validated domain name
(the domain in the d= tag). And it tells the verifier what parts of the
message are covered by the signature (h= and l= tags). There is no claim
in DKIM that the d= domain has any relation to the RFC 5322 From. But the
h= tag does tell you how many From header fields are covered by te
signature.
Any verifier that wants to consider a message suspicious if the message
contains more From fields than are covered by the signature can do so, and
the DKIM spec does describe this situation.
You would like the spec to REQUIRE that a message be considered suspicious
under those circumstances. You made your case for this at least twice to
the working group and at least once more to the IETF community during Last
Call of the draft that became RFC 6376. Your opinion wasn't agreed with:
you were "in the rough". You're now bringing it up a fourth time (at
least), and you still appear to be in the rough. The decision was to
allow the verifier to decide how to handle this.
Being in the rough doesn't make you wrong. But DKIM isn't wrong either,
and at some point you have to accept that you're standing alone, and accept
the consensus.
Barry