Charles Lindsey wrote:
Yes, but I think you are missing Doug's point.
No, I got the point, but I fear it's a distraction from the work we're
trying to complete.
It the border MTA-X (re-)signs the message, including the added
Authentication header, then is MUST (according to DKIM) cover the From
header.
Absolutely, though also not relevant because (a) the From: was verified
at the border by one or more methods already, and (b) we're only
interested in protecting Authentication-Results: here.
Then, if the paranoid recipient MUA-Y wants to check it, and consults
MTA-X's SSP record, he will discover that the signature is "suspicious"
(or whatever the latest euphemism is).
An MUA checking the DKIM signature generated inside its trust domain
would have to know to avoid doing an ADSP check (which is not a required
piece of DKIM anyway, plus presumably this was done at the border MTA).
Were I to change the draft to say "SHOULD DKIM-sign", I would add this
caveat explicitly. But right now I'd rather say the channel SHOULD be
secured and merely suggest that there are available solutions to this
problem, such as DKIM.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html