On 11/21/2022 4:21 PM, Murray S. Kucherawy wrote:
We actually seemed to like the idea, at least back then, that the
signature survives delivery so that it can be validated at any point
later.
It was and is an entirely reasonable point. And of course, I'm not in
the least biased.
But seriously, I think this concern can be handled with a small elaboration:
1. State the strong SHOULD that the DKIM signature be removed when
handling of the message is complete. ('handling' obviously is a
term meant to allow some flexibility, but not too much.
2. State the non-normative advice that the typical scenario be
removal by the MDA, but acknowledge the more elaborate scenario,
where removal might be by the recipient UA ort the POP or IMAP
agent it uses.
done.
This has the considerable appeal of not requiring coordination to
implement. Receivers can do it, by fiat, independently of originators.
However it has the considerable downside, as noted, that bad actor
receivers won't do it.
So, this is merely one of a set of mechanisms we should specify. I
think, for example, there are sender-side actions that should also be
specified. Again, this doesn't have a magic bullet, given the degree of
distribution and independent development and deployment that happens
with email.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@[email protected]
_______________________________________________
Ietf-dkim mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf-dkim
