JD, I fear you missed my point:
"Identity of the user or agent (e.g., a mailing list manager) on behalf of which this message is signed" does not mean that that user or agent was the author. So the value might be wonderfully stable, but its semantics say nothing about authorship. To repeat: There is nothing in DKIM that says or implies that it makes an assertion of valid From: field data. Any use of DKIM for validation of From: field contents goes beyond the base specification. For example, ADSP travels that path. d/ J.D. Falk wrote: >> What is delivered can be verified as what was sent. But what was sent is >> still >> free to be incorrect. > > With DKIM i=, it becomes possible to convey a stable identifier (though of > course there's no guarantee that the identifier is stable, leading to John's > t= suggestion.) Without DKIM (or something like it), as we know, any > potential identifiers are trivially forged. > > As Suresh pointed out, DKIM doesn't convey anything about who is using > Grandma's login credentials (in the case where Grandma's login credentials > can be associated with a stable, authenticatable identifier), but I'd say > that's out of scope here. > -- Dave Crocker Brandenburg InternetWorking bbiw.net _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html