Hello All, In an effort to make it easier for our users to prevent DKIM replay attacks, we're looking at adding an option to our DKIM signing module to automatically oversign headers in the DKIM signature, adding an additional entry in the headers list to assert a null header, preventing a malicious third party from adding an additional header but having the message still validate as DKIM because only one instance of the header was listed in the signature.
To that end, we're trying to make this as easy as possible for our users out of the box, ideally just having Oversign = True as an option, where any header listed for signing would then get n+1 entries in the header list, so that any duplicate headers present in the message result in one more entry. So one header gets two entries, two headers gets three, etc. In the interest of the rule of unforseen consequences, we're trying to avoid oversigning any headers that would break further downstream processing. Does anyone know of any headers that *should* be DKIM signed, but *should not* be oversigned? Thanks, Mike KumoMTA _______________________________________________ Ietf-dkim mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-dkim
