Charles Lindsey wrote: > I think is is clear that these attacks will work if deployers fail to > watch out for them. The only question is how long it will take the Bad > Guys to spot the opportunities (and for sure they WILL spot them - sooner > probably than later).
+1 To me, the protocol requires a highlighted explicit ONE FROM signing and verifier rule. It SHOULD NOT continue to sign a multi-from message, and it SHOULD invalidate the verification of a multi-from message. Anything above that is SWAGGING and exploratory in nature and a consideration only to address legacy signers and verifiers, which includes receivers or internal mail creators don't allow multiple from headers. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html