Hence my original post with the suggested "special consideration" text for section 5.4 in regards to 5322.from.
-- HLS Wietse Venema wrote: > Wietse: >> What I describe would be a best practice application of DKIM >> mechanisms that already exist. >> >> Mail is signed as if there are N+1 instances of each header that >> is covered by the DKIM signature. The verifier will then fail if >> any such header is added after-the-fact. >> >> With this, there is no need to rely on enforcement mechanisms >> outside DKIM, such as the correct implementation of RFC 5322. > > Murray S. Kucherawy: >> I would suggest constraining that to include only those fields >> that are 0-or-1 in RFC5322 Section 3.6. For example, doing this >> with Received: is begging for signature invalidation on otherwise >> unaltered messages. > > I see your point, but there are more "sensitive" headers than the > 0-or-1 headers in RFC 5322 (IIRC, the N+1 signing method was > introduced to protect MIME headers). > > I suppose that the guidelines for best practice application of DKIM > could recommend what headers to sign with the N+1 signing method. > These guidelines can be updated as RFC 5322 evolves, and as standards > that extend RFC 5322 introduce new "sensitive" headers. > > Wietse > _______________________________________________ > NOTE WELL: This list operates according to > http://mipassoc.org/dkim/ietf-list-rules.html > > _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html