Dave Crocker wrote in
<[email protected]>:
|On 1/16/2024 3:57 PM, Evan Burke wrote:
...
|> Without oversigning those headers, DKIM would pass,
|
|Yes, oversigning is useful. And it has been useful for a very long
Just to make that clear to myself, who is currently writing his
first simple DKIM sign-only milter. This refers to 5.4 of RFC
6376, namely
...
Signers MAY include the header field name in the "h=" tag even
if that header field does not exist in the message)
...
INFORMATIVE RATIONALE: This allows Signers to explicitly assert
the absence of a header field; if that header field is added
later, the signature will fail.
INFORMATIVE NOTE: A header field name need only be listed once
more than the actual number of that header field in a message at
the time of signing in order to prevent any further additions.
For example, if there is a single Comments header field at the
time of signing, listing Comments twice in the "h=" tag is
sufficient to prevent any number of Comments header fields from
being appended; it is not necessary (but is legal) to list
Comments three or more times in the "h=" tag.
|time. It is important to do. So it is good to have DKIM modules
|support this capability.
|
|However the abuse scenarios which are reduced or eliminatoversigning are
|outside the scope of the recent abuse that is being called DKIM Replay.
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
_______________________________________________
Ietf-dkim mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf-dkim
