On Sun 06/Dec/2020 18:01:04 +0100 Michael Thomas wrote:
On 12/6/20 5:40 AM, Alessandro Vesely wrote:
On Sun 06/Dec/2020 02:34:45 +0100 Michael Thomas wrote:
5) The work you and Alessandro have done with reverse transformation is
more likely to produce a solution for the mailing lists. The lists will
continue to do From rewrite, but reverse-transform recipients can validate
the true source of the message and restore the From if desired.
I'm starting to get a little more serious about my quip that the MLM can
insert a sed script in a header to unmangle the message since it knows what
transforms it has done, unlike the receiving MTA trying to guess the common
transformations.
But then the receiving MTA will have to guess whether the sed script
considerably alters the intended meaning of the message. For example, does it
change a bank account number?
This actually highlights why my observation is correct. If the intermediary
showed how to reverse their changes perfectly to be able to validate the
original signature, it says nothing about whether those changes to be delivered
to the recipient are acceptable to the originating domain. for the case of a
bank sending me sensitive mail, the answer is that it is never ok. for somebody
working on internet standards working on ietf lists, the answer is that it is
fine. hence trying to get two states of the one "reject" is insufficient.
For MLM transformations, this choice can be done by tuning DKIM signatures. A
bank can choose to sign Sender: field (or lack thereof), or any other fields
that a MLM has to change, and possibly use simple canonicalization. In that
conditions, transformation reversion won't work. It isn't a distinct DMARC
state, formally. Yet, tuning DKIM signatures allows to harden or weaken the
given DMARC state.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
