On Thu, 2005-02-03 at 11:44 +0100, Tom Kistner wrote:
>
> > Which identity are you using for checking the signature? If a message
> > has different addresses in From:, Sender: and Resent-From: headers,
> > which of those will you use for the purpose of checking DK?
>
> The underlying reference implementation does that. It uses the value of
> the d= parameter from the DomainKey-Signature header.
>
> draft-delany-domainkeys-base-01.txt says:
>
> d = The domain name of the signing domain. This tag MUST be
> present. In conjunction with the selector tag, this domain
> forms the basis of the public-key query. The value in this tag
> MUST match the domain of the sending email address or MUST be
> one of the parent domains of the sending email address.
What is the 'sending email address' in this context? Your use of
$sender_address_domain in the example ACL seems to imply that you're
using the reverse-path.
That seems to be the _sensible_ thing to do -- the reverse-path is
almost always going to be changed when the message may suffer mangling
due to being resent by a user or mailing list. But is that what the
draft says you're _supposed_ to do?
People seem to have been resistant to the idea that we should be using
the reverse-path instead of grubbing around the headers for a 'Purported
Responsible Address', or just pretending we think that a signature from
the domain in the From: header will survive.
Thanks a lot for doing this, btw.
--
dwmw2