On Jun 4, 2013, at 9:13 AM, Murray S. Kucherawy <msk(_at_)blackops(_dot_)org>
wrote:
On Tue, Jun 4, 2013 at 4:08 AM, Douglas Otis
<doug(_dot_)mtview(_at_)gmail(_dot_)com> wrote:
In its current form, DKIM simply attaches a domain name in an unseen message
fragment, not a message. The ease in which the only assured visible fragment
of the message signed by the domain being forged makes it impossible for
appropriate handling to be applied or likely harm prevented.
There are existence proofs that contradict this claim. They have been
brought to your attention in the past.
Thank you for your response. Could I trouble you for a reference to the proofs
or for you to expand on what you specifically mean? The draft
otis-dkim-harmful addendum captured actual DKIM From header field spoofing
delivered to the in-box for several major providers.
It appears you're continuing to assign semantics to DKIM signatures that
simply aren't there. I don't know what else can be done to clarify this.
The semantics of d=domain and dkim=pass appear to be at the root of the
problem. What other semantics are you suggesting?
Procedurally speaking, what path do you anticipate your draft following?
To require messages with invalidly repeated header fields to not return a
"pass" for DKIM signature validation.
I apologize if I missed your response to a private query. I hope to post an
update shortly covering all expressed concerns.
Regards,
Douglas Otis