On Mon, Jun 9, 2014 at 8:59 PM, Stephen J. Turnbull <[email protected]> wrote:
> [2] PGP can be worked around by placing the signed body in a separate > MIME part from the header and/or footer parts, and DKIM could at least > be adapted to decorated subjects using z= and footers using l=, > although this would require MUA support to be at all realistic (and if > John Levine's most pessimistic assessment of typical users' ability to > interpret MUA signals is correct, these workarounds are too dangerous > to be used). > The use of z= to get a "secondary" validation of an originator's signature makes me uneasy. A failed signature is supposed to fail. If one wishes to allow Subject: field alterations, then don't sign it. (I would rather abolish the practice of Subject tagging altogether and use the List-* fields to identify and sort list posts, but I am fully aware it's me vs. deployed inertia there.) Back in the DKIM WG days, that was also the consensus position as I recall. We also didn't expect MUAs to show which header fields or what part of the body were covered by a signature; the output of DKIM signature validation is just pass/fail and a domain name. Moreover, give a message with multiple signatures that passed yet covered different stuff, what could an MUA do that wouldn't be utterly confusing to users? I think back then someone suggested a modified header canonicalization method that was the same as "relaxed" except that a single limited-size token surrounded by square brackets and followed by a couple of whitespaces at most would be omitted from the hash, which would mean Subject tagging doesn't invalidate anything. It was rejected, but I can't remember why off the top of my head, maybe something to do with the fact that the unmodified Subject field could also start the same way, so it's ambiguous. Either way, to do it now would mean touching every deployed DKIM signer/validator out there. Finally, in addition to DKIM-Delegate, I posted another draft that captures a MIME-sensitive body canonicalization proposal that was suggested some time ago by Ned Freed. It may or may not be interesting for this effort. It's here: https://datatracker.ietf.org/doc/draft-kucherawy-dkim-list-canon/ -MSK
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
