-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <[email protected]>, Steven M Jones <[email protected]> writes > >On 11/20/24 12:03, Richard Clayton wrote:
>> it means that if the message, for whatever reason, reaches another DKIM2 >> system it is possible to determine that the gateway intentionally >> changed the message ... (and hence local policy is going to have to kick >> in to decide what to do with a failing signature) otherwise one might >> conclude that the failure of every preceding signature was some other >> systems failure to look after the message properly -- and it might be >> that a DSN was speciously generated (depending on the exact chain of >> custody) > >So the proposition is that we would universally apply DKIM2 at the SEG >and verify again at the recipient ADMD/mailstore, so that if X% of >messages are forwarded or otherwise escape, they could be checked with >DKIM2 at the downstream hops, and not have to be treated as ever having >left the DKIM2 world, which... would mean just handling it as they do >today, right? Once you've left DKIM2, you fallback to the old ways of >doing things. It is not necessary for the mailstore to check anything if it trusts the security gateway ... however, out-of-the-box MTAs may well do checks so it makes sense for the security gateway to add a DKIM2 header saying what it has done >I thought we were looking at a not-uncommon enterprise situation where >we have an adequate trust mechanism in place today without much >forwarding, and we're going to impose a lot of overhead for what looked >like not much benefit. adding one DKIM2 header (which says "it's complicated" to cover modifications) does not sound like "a lot of overhead" to me. It is certainly simpler than documenting what those changes were. ... and please note that messages that leave the DKIM2 world may re- enter it thereafter ... you'll note that we have reconsidered our proposal from - -00 of our draft to -01. This is a complicated space where the trade- offs are not immediately obvious >But are we more thinking of large mailbox >providers like mobile telcos using SEGs/services, with massive >forwarding populations, and we're focused on their downstream impacts? there are a fair number of people using large mailbox providers who receive email via Proofpoint (and doubtless their competitors as well) I have no doubt that these systems are adding ARC headers today (hoping that they will be trusted sufficiently that "no auth no entry" will not be a problem). Since we're meant to be discussing whether to open a WG and what it's charter should be, should superseding ARC be specifically mentioned ? - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA+AwUBZz3kzt2nQQHFxEViEQIjxACXZwfS+2JEN1TD3m9lt/IGi8VIGwCfR+8c KHAR8NGfoOWupPbJzm3XMXw= =8F1S -----END PGP SIGNATURE----- _______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
