https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-16#section-5.1.2
Originally, even in the event of a chain validation failure, the Sealer's ARC-Seal would sign all ARC header fields on the message. When we introduced the concept of cv=invalid last year, the advice was to only sign your own ARC Set, because there was no deterministic way to know which header fields to sign when those ARC header fields were not properly intact (the definition of invalid). We then decided to abandon the cv=invalid path and only have cv=fail. Somehow, in the current doc this advice for invalid chains now applies to all chain failures. Section 5.1.2's title even mentions it is for the invalid case, but the text as written applies to all failed chains. Without the ARC Seal covering the ARC header fields in the failing chain, all the data in the failed chain can be modified as it is not covered under the latest signature. The proper guidance should be that the ARC-Seal MUST sign the ARC Chain in its entirety, unless that is structurally impossible, in which case it should only sign itself. I believe the proper text for this section (replacing the first paragraph for 5.1.2 in its entirety) should be: In the event that it is not possible to generate a deterministic list of previous ARC Sets to sign (such as when the chain undergoing validation is structurally invalid), the signature scope of the AS header field b= value MUST only include the latest ARC Set headers as if this newest ARC Set was the only set present.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc