On Thu, Apr 2, 2015 at 6:59 AM, Anne Bennett <[email protected]> wrote:
> > As I recall this was considered during the development of DKIM > originally, > > exactly for this reason. We rejected it because we couldn't come up > with a > > safe description of what a tag should look like. If arbitrary text is > > allowed in there, then one could "tag" a spam URL at the front of a > > legitimate message's Subject field and the signature would still pass. > > Right, but if that tag were explicitly deemed to be excluded > from the signature, it could be handled differently. Hmm, but > if this resulted in (for example) the tag not being displayed, > then we would have gained nothing in the case of mailing lists. > Handled by whom? If we're talking about telling MUAs "Don't render the unsigned part of the content the same way as the signed content", then a bunch of additional complexities begin to appear: - MUAs now need to know how to do DKIM themselves, so that they know what parts were signed and what parts were not; alternatively, we need a way to signal between the DKIM verifier and the MUA what parts are safe to render, beyond what Authentication-Results already provides - We're wandering into conversations about how MUAs should interact with users, which this community typically avoids like a terrible allergy - Even if the above aren't problems, we're relying on MUAs to adapt to this change in a relatively short period of time Here be dragons. -MSK
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
