John Levine writes: > >Playing around with ideas here. This one removes the "l=0" signature stuff > >and instead makes DKIM-Delegate into a more self-contained thing, which I > >believe was suggested (or at least inspired) by Stephen's comments. There > >is still the potential for abuse during the ephemeral relationship period > >(i.e., prior to expiration), but it it is now an indirect attack on the > >author domain rather than a direct one. Perhaps that's more palatable in > >this scenario. > > > >Comments welcome. > > This looks an awful lot like my draft-levine-cdkim-00 and > draft-levine-dkim-conditional-00 except that mine has more bits of > DKIM in the cdkim signature so it can sign To and From to limit the > range of spoofage.
I'm not sure about the plusses and minuses of signing To: (and Cc:), but I agree that the new version (which I like a lot) would definitely be more valuable to Author Domains if the signature covered From:. It's not obvious to me that this couldn't be REQUIRED rather than an option (with attendant complication of the protocol), since Mediators that "take ownership" of From: (eg, anonymizers) will then be "first parties". Unless the Mediator chose to use a *different* mailbox in the Author Domain, but I don't see why the Author Domain would want to permit that unless the Mediator is controlled by the Author Domain. _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
