At 09:30 01-06-2007, Michael Thomas wrote:
I don't understand the reason for this restriction, and I understand
even less how you expect it to be enforced. Consider this:
border(spf)->mta(dkim)->delivery
why should it be illegal for the middle mta to add the dkim results
to the existing upstream auth-res? Does it cause some sort of security
problem? Or any other kind of problem? The only kind of security problem
I can see is if it added it to an _untrusted_ auth-res, but that would
be pretty silly.
Initially, the hostname could be used to tell where the results were
evaluated. That would explain why the dkim results shouldn't be
appended to a header inserted upstream. If we are going to use an
authentication identifier, we can append results if the border and
the mta are using the same identifier.
There may be a problem. Assuming that there was a spoofed header in
the message and for some reason, the border didn't process the
message for an auth-res header. mta will be adding the dkim results
to the untrusted auth-res header. This problem would be more
inherent to using the same identifier on more than one host.
Regards,
-sm
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html