mail-vet-discuss
[Top] [All Lists]

Re: [mail-vet-discuss] Straw consensus call on auth-header draft

2008-10-15 13:01:03
Charles Lindsey wrote:

Yes, but I think you are missing Doug's point.
  

No, I got the point, but I fear it's a distraction from the work we're 
trying to complete.

It the border MTA-X (re-)signs the message, including the added  
Authentication header, then is MUST (according to DKIM) cover the From  
header.
  

Absolutely, though also not relevant because (a) the From: was verified 
at the border by one or more methods already, and (b) we're only 
interested in protecting Authentication-Results: here.

Then, if the paranoid recipient MUA-Y wants to check it, and consults  
MTA-X's SSP record, he will discover that the signature is "suspicious"  
(or whatever the latest euphemism is).
  
An MUA checking the DKIM signature generated inside its trust domain 
would have to know to avoid doing an ADSP check (which is not a required 
piece of DKIM anyway, plus presumably this was done at the border MTA).

Were I to change the draft to say "SHOULD DKIM-sign", I would add this 
caveat explicitly.  But right now I'd rather say the channel SHOULD be 
secured and merely suggest that there are available solutions to this 
problem, such as DKIM.
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html 

<Prev in Thread] Current Thread [Next in Thread>