On Nov 8, 2010, at 1:20 AM, Barry Leiba wrote: > 2. The DKIM spec should probably say that signers need to sign valid > messages, and, therefore, SHOULD NOT sign things like this. Text > along the line of this might work well: > "Signers SHOULD take reasonable steps to ensure > that the messages they're signing are valid according to [RFC 5322, > etc]." Leaving the definition of "reasonable" out allows flexibility. It > may be waffly, but I like the approach in this case.
+1 > 3. It'd be reasonable for the DKIM spec to remind verifiers that > signers aren't supposed to sign stuff like this, so they might > consider that when deciding what to do with it after verification. > It'd be reasonable to remind them of this particular case. But > I think that all ought to be informative text. Seems unnecessary per #2 above, but I don't care all that much either way. > 4. We should agree to this or some variant of it, and then move on. > This is not meant to satisfy everyone. In fact, it isn't what I'd prefer, > if I had my full choice. But it takes care of the problem in a way > that I think is sufficient, and allows us to resolve the issue. +1 On Nov 8, 2010, at 7:52 AM, Scott Kitterman wrote: > Rather than fall back purely on 5322, I'd prefer to see something in security > considerations that says if the count of a particular header field that is > supposed to be limited (e.g. From and Subject) present in a message exceeds > the number of signed fields, then the signature shouldn't be verified. I'd have no objection to this either. At this point the only strong objection I'd have would be if the consensus measurement were based on one or two people repeatedly expressing Very Strong Feelings while the rest (like me) mostly don't care. A "meh" result is not the same as a yes or no. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
