On 10/8/2021 10:44 AM, Alessandro Vesely wrote:
On Fri 08/Oct/2021 18:18:45 +0200 Dave Crocker wrote:
Whether signed fields are validated depends on the signing domain's
policy.
That statement is both true and misleading.
DKIM has a semantic that is not dependent on the choices of folk who use
DKIM.
DKIM's semantic for what it signs does NOT include validation of the
content.
That some signers might do some sorts of validation does not affect
DKIM's semantics.
Within the context of the DKIM specification there is no way to tell
that a signer has these added constraints or meanings.
Therefore, if you are interpreting a signature as meaning that some
aspect of the data are valid, you have gone beyond DKIM.
DMARC is an example of going beyond DKIM semantics, with incremental
specification, but only for the domain name in the From field.
Some do check that From: is valid. If they add Author:, I'd expect
they faithfully copy it from From:.
Unfortunately, there is no automated way to learn a domain's policy.
Exactly.
DMARC adds to the semantics with its definition of alignment. It's
part of DMARC, not DKIM.
So it's certainly reasonable to include the Author: field in the set
that produce the DKIM signature, but that inclusions does not have
any semantic other than it didn't get changed since the signing.
Data integrity is nice but is quite different from validation.
If the author's domain signed Author:, then a receiver knows that they
are aware of the mailing list problem and presumably interested in
validation results.
I think understand this thinking but I also think it imparts far too
much thought and diligence that is going to validly apply.
--
Dave Crocker
[email protected]
408.329.0791
Volunteer, Silicon Valley Chapter
Information & Planning Coordinator
American Red Cross
[email protected]
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
