On 07/19/2018 11:18 PM, Autumn Tyr-Salvia wrote:
Hello Email Folks,
Hi Autumn,
I know signing the From: field is required by spec, but I think everything else is technically optional. For those of you who have been in the position of choosing which headers to sign and which not to, would you be open to sharing your reasoning with me? Any words of wisdom around headers they really should or should not sign?
Here's what I sign. Cc Content-Disposition Content-Language Content-Transfer-Encoding Content-Type Date From In-Reply-To Message-ID MIME-Version References Reply-To Resent-Date Resent-From Resent-To Resent-Cc Sender Subject To User-Agent I basically sign all headers that I think should not change in transit.The only one that /might/ be a problem is Cotent-Transfer-Encoding, particularly if a message must be converted from 8-bit to 7-bit.
It's also important to think about what headers to /over/ sign as that prevents adding any extra instances of over signed headers.
I over sign the following headers: Cc Content-Disposition Content-Language Content-Transfer-Encoding Content-Type Date From In-Reply-To Message-ID MIME-Version References Reply-To Resent-Date Resent-From Resent-To Resent-Cc Sender Subject To User-AgentNote: You want to NOT over sign headers that you know will be added. I.e. Received: headers
Side comment about DKIM and mailing lists. - I view mailing lists as being a terminal endpoint for email. As such, I'm of the opinion that
1) SPF / DKIM / DMARC should be validated as they are received from the sender.
2) Remove the associated headers before entering the mailing list. 3) Add new counterpart headers as /new/ messages leave the mailing list.
Insight much appreciated!
I don't know that my /opinion/ counts as "insight" per say. But here's hoping it helps or at least makes you ask questions who's answers help. ;-)
Thanks,
You're welcome, and good luck. -- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop