On Thu 30/May/2024 15:27:51 +0200 Murray S. Kucherawy wrote:
On Thu, May 30, 2024 at 3:30 AM Alessandro Vesely <[email protected]> wrote:
z= is a valuable tool for debugging and learning why signatures fail.
For reversing purposes, instead, Original-* fields are preferable as they
can be individually added and possibly signed also by different
operators. Reversal must not blindly replace altered fields so as to force
verification. It should check whether the applied changes meet per-field
acceptance criteria. >
I don't understand your "preferable" claim given that an Original-* field
is subject to mutation just as any other field is. It's just as fragile as
any other solution. At least with "z=", you're far more likely to get back
an actual original.
z= saves all fields, which would be too much in most cases. Moreover, doing so
suggests treating all fields as a whole, rather than dealing with each one's
peculiarity.
Of course, if an Original- field is tampered with the original signature won't
verify after replacing it, just like if you altered z=. But then, reverting
without cooperation is not the same as doing it with active opposition. Why
would someone alter Original- fields? A mediator wanting to disrupt the
possibility to reverse had better removing the signature directly.
Best
Ale
--
_______________________________________________
Ietf-dkim mailing list -- [email protected]
To unsubscribe send an email to [email protected]
