I updated my conditional signature draft, which is now (thanks to a suggestion from Ned Freed) the mandatory tag draft.
https://tools.ietf.org/html/draft-levine-dkim-conditional-01 The idea is that you have a weak signature on To, From, Date, Message-ID but not subject or body, with a new tag that says the signature is only valid if it's also signed by a specified other party, who would be the entity that you expect to forward the message. So I send a message signed like this: From: [email protected] To: [email protected] DKIM-Signature: ...; d=taugh.com; ... ordinary good strong signature DKIM-Signature: ...; d=taugh.com; @fs=ietf.org; ... weak signature, not good yet The list does what it does to the message, and now it's signed like this: From: [email protected] To: [email protected] DKIM-Signature: ...; d=taugh.com; ... broken strong signature DKIM-Signature: ...; d=taugh.com; @fs=ietf.org; ... weak signature, good because it's also signed by ietf.org DKIM-Signature: ...; d=ietf.org; ... new good strong signature It seems to me that this addresses the same issues that the list mutation stuff does with a lot less complication, and without having to enumerate all of the ways that a list might change the message. It only assumes that the list won't change To, From, Date, or Message-ID, which matches my list experience. The list can make arbitrary changes to the message body, but if it does, you know who to blame. As a lazy list operator, I also like the fact that it doesn't require lists to do anything different from what they should be doing now, sign their outgoing mail. Senders put additional weak signatures on mail sent to addresses that might be mailing lists, verifiers have to upgrade to understand new signatures. Note that smelling like a mailing list is not the same as whitelisting mailing lists. R's, John PS: The spec uses DKIM-Signature v=2 since mandatory tags aren't backward compatible, but can we please not go down that rathole again, at least not until we consider whether double signing is useful. _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
