On Fri 08/Oct/2021 19:57:59 +0200 Dave Crocker wrote:
On 10/8/2021 10:44 AM, Alessandro Vesely wrote:
On Fri 08/Oct/2021 18:18:45 +0200 Dave Crocker wrote:
Whether signed fields are validated depends on the signing domain's policy.
That statement is both true and misleading.
DKIM has a semantic that is not dependent on the choices of folk who use DKIM.
DKIM's semantic for what it signs does NOT include validation of the content.
That some signers might do some sorts of validation does not affect DKIM's
semantics.
Within the context of the DKIM specification there is no way to tell that a
signer has these added constraints or meanings.
Therefore, if you are interpreting a signature as meaning that some aspect of
the data are valid, you have gone beyond DKIM.
DMARC is an example of going beyond DKIM semantics, with incremental
specification, but only for the domain name in the From field.
Would it make sense to extend DMARC commitment to the whole From: field? For
example, assert that the local part and the display name have been set by an
authenticated user? (Rather than automatically munged.)
DMARC adds to the semantics with its definition of alignment. It's part of
DMARC, not DKIM.
So it's certainly reasonable to include the Author: field in the set that
produce the DKIM signature, but that inclusions does not have any semantic
other than it didn't get changed since the signing. Data integrity is nice
but is quite different from validation.
If the author's domain signed Author:, then a receiver knows that they are
aware of the mailing list problem and presumably interested in validation
results.
I think understand this thinking but I also think it imparts far too much
thought and diligence that is going to validly apply.
It is the same sentiment that makes one add Author:. There are mailbox
providers who set p=quarantine or harder (and possibly pct=0) just so that MLMs
are forced to rewrite From: and thus they get rid of aggregate reports
containing failed DMARC checks.
Mailbox providers who add Author: must belong to a different category. Perhaps
they care that their signatures survive MLM transformations. Such possibility
depends on how they sign, relaxed rather than simple, which header fields, how
to do Content-Transfer-Encoding:, and the like. DMARC feedback is essential to
guide those choices, so it should be addressed also to the author's domains.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
