On Wednesday, June 22, 2011 01:17:16 pm Murray S. Kucherawy wrote: > > -----Original Message----- > > From: ietf-bounces@xxxxxxxx [mailto:ietf-bounces@xxxxxxxx] On Behalf Of > > Douglas Otis Sent: Tuesday, June 21, 2011 6:51 PM > > To: ietf@xxxxxxxx; Barry Leiba; iesg-secretary@xxxxxxxx; Sean Turner > > Subject: Last Call: <draft-ietf-dkim-rfc4871bis-12.txt> (DomainKeys > > Identified Mail (DKIM) Signatures) to Draft Standard > > > > [...] > > > > This indicates the DKIM specification is seriously flawed. While DKIM > > may not offer author validation, it was intended to establish an > > accountable domain for the signed message content that at a minimum > > includes the From header field. There are NO valid reasons for a valid > > signature to include multiple From header fields! Allowing multiple > > From header fields is _EVIL_ and destroys DKIM's intended purpose as > > defined by prior work. > > This purported security flaw and surrounding FUD was discussed at huge > length in the working group, and consensus was clearly against the idea of > dealing with this in DKIM because it's the wrong place to address the > problem. The record, both in the issues tracker and in the working > group's archive, is quite clear about this, and both are open to public > scrutiny. > > And I find the tactic of taking a lost battle from a working group to the > IETF as a whole to be akin to the "Mom said no, I'll go ask Dad!" strategy > that I outgrew by the time I was a teenager... While I'm not thrilled by the post-4871 changes in general, I think on this point there's not an issue. I recently worked through the multiple From case for a DKIM implementation I'm helping on and found sufficient guidance in RFC 4871 to deal with it reasonably. This was definitely beat to death in the WG. Scott K _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf