On October 8, 2021 4:18:45 PM UTC, Dave Crocker <[email protected]> wrote: >On 10/8/2021 9:09 AM, Scott Kitterman wrote: >> So originator includes From and Author and signs both. Then the mediator >> (e.g. MLM) minges From and signs again. Receiver checks DMARC and it >> passes. Then receiver sends feedback to both Author and From domains? > >The purpose of the Author field is to retain some information that >presumably won't get modified. Whether to actually 'believe' that >information is a different matter, just as it is for all other header >fields. And let's be clear that including a field in a DKIM signature >does NOT validate its contents. > >DMARC adds to the semantics with its definition of alignment. It's part >of DMARC, not DKIM. > >So it's certainly reasonable to include the Author: field in the set >that produce the DKIM signature, but that inclusions does not have any >semantic other than it didn't get changed since the signing. Data >integrity is nice but is quite different from validation. > >Since you are pressing the concern, perhaps you could characterize what >danger/threat and what meaningful protection against it you are looking for?
I don't have one yet. I'm trying to make sure I understand the proposal. I completely agree about integrity versus validation. Which fields to sign is only relevant here because a proposal to not sign From (which it had now been clarified this wasn't) would require an incompatible DKIM change. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
