> -----Original Message----- > From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] > On Behalf Of Douglas Otis > Sent: Monday, October 25, 2010 2:48 PM > To: ietf-dkim@mipassoc.org > Subject: Re: [ietf-dkim] Proposal for new text about multiple header issues > > > 1) During the handling of a message in conjunction with a DKIM result > > that indicates a valid signature, consider as valid only those fields > > and the body portion that was covered by the signature. Note that this > > is not to say unsigned content is not valid, but merely that the > > signature is making no statement about it. > > Bad advice. There is no other email component that can be relied upon to > restore flawed DKIM verification results, nor should DKIM relegate > determination of DKIM result validity to subsequent consumers.
But neither of those was the suggestion. > > 3) For any header field listed in Section 3.6 of [MAIL] as having an > > upper bound on the number of times it can appear, include the name of > > that field one extra time in the "h=" portion of the signature to > > prevent addition of fraudulent instances. Any attachment of such > > fields after signing would thus invalidate the signature (see Section > > 3.5 and 5.4 for further discussion). > > Incomplete advice. This only provides partial protection, since it does > not prevent spoofing of a From header where an attacker controls or > utilizes a domain that does not include repeated From header entries > within the h= parameter. I'm having trouble parsing that. Please propose alternate text, or show an example of what you're describing. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html