On Tue 22/Apr/2025 16:49:29 +0200 Murray S. Kucherawy wrote:
On Tue, Apr 22, 2025 at 4:56 AM Alessandro Vesely <[email protected]> wrote:
On Tue 15/Apr/2025 21:21:58 +0200 Bron Gondwana wrote:
So I'm very interested in a discussion of *"should we have an exclude-list
rather than an include-list of signed headers?"*
Don't sign MIME-Version: especially if it has comments.
RFC 4871 expressly listed that as one that SHOULD be signed. We softened
this in RFC 6376 to be basically a debate about whether MIME-Version (among
others) represents "core" content. I have always thought of anything that
impacts what the user will eventually see as "core" content that DKIM
should be covering.
So why would we not sign MIME-Version, given that it's key to
interpretation and rendering of the message?
I was going to add Content-Type: as well, but this is controversial, because
sometimes it is necessary. These are "technical" header fields that are best
left to machines. Signing them reduces the resilience of a signature.
Best
Ale
--
_______________________________________________
Ietf-dkim mailing list -- [email protected]
To unsubscribe send an email to [email protected]
