Dave Crocker wrote in <82f48c8d-b89c-404f-87ac-4619628dd...@dcrocker.net>: |On 1/16/2024 3:57 PM, Evan Burke wrote: ... |> Without oversigning those headers, DKIM would pass, | |Yes, oversigning is useful. And it has been useful for a very long
Just to make that clear to myself, who is currently writing his first simple DKIM sign-only milter. This refers to 5.4 of RFC 6376, namely ... Signers MAY include the header field name in the "h=" tag even if that header field does not exist in the message) ... INFORMATIVE RATIONALE: This allows Signers to explicitly assert the absence of a header field; if that header field is added later, the signature will fail. INFORMATIVE NOTE: A header field name need only be listed once more than the actual number of that header field in a message at the time of signing in order to prevent any further additions. For example, if there is a single Comments header field at the time of signing, listing Comments twice in the "h=" tag is sufficient to prevent any number of Comments header fields from being appended; it is not necessary (but is legal) to list Comments three or more times in the "h=" tag. |time. It is important to do. So it is good to have DKIM modules |support this capability. | |However the abuse scenarios which are reduced or eliminatoversigning are |outside the scope of the recent abuse that is being called DKIM Replay. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) _______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim