On 05/04/2011 03:55 PM, Rolf E. Sonneveld wrote: > > Well, I think you both are right in reading what my concern/objection > against 4871bis is. And maybe you're also right in that RFC4871 wasn't > that much different of RFC4871bis. > > I think in the early days of DKIM most people assumed DKIM would > become a protocol where: > > * the body hash and header hash, using various header fields, > certifies the DKIM signature and > * the DKIM signature certifies the body and header fields, that > had been used to create the DKIM signature. >
Rolf, By "certify" do you mean "assert that they are true/correct/something along those lines"? DKIM doesn't make such assertions because there's no way absent a good deal more infrastructure that a receiver should believe such an assertion. The addition of ADSP adds one mechanism that allows a very narrow assertion about From to the author domain be believable, but we certainly do not have anything beyond that. If there was some verbiage in the security analysis, it is likely because the precise delineation of signing protocol (DKIM) and policy protocol (ADSP) was was not completely gelled at the time -- 4686 was put together mainly to get past some process hurdles (imo) to form the wg, so it's pretty early. But even then there was no intent to "certify" other header fields other than From. Mike _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html