> -----Original Message----- > From: [email protected] [mailto:ietf-dkim- > [email protected]] On Behalf Of Ian Eiloart > Sent: Thursday, September 16, 2010 3:20 AM > To: Hector Santos; [email protected] > Subject: Re: [ietf-dkim] draft-vesely-dkim-joint-sigs > > I don't think so. The original signature should only sign the DKIM- > required > and From headers, and perhaps enough other headers to reduce utility of > replay attacks. Importantly, they should only sign parts that are > likely to > be unbroken by the MLM, thus satisfying ADSP requirements. However, the > recipient knows that a valid signature from the MLM is required, too. > Thus, > the original DKIM signature is only valid for messages going through > the > list - off list replay isn't possible. On-list replay can be limited by > ALSO including a full DKIM signature, for the list to check before > redistributing.
I'm worried about that third sentence. If people are encouraged not to sign Subject:, for example, which is a popular display header field, one could spamify that field and re-send the message. If you subscribe to the idea that a DKIM signature reflects a domain taking some responsibility for a message, I'd have a hard time not signing Subject: (or From:) for any reason. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
