sbp commented on issue #45: URL: https://github.com/apache/incubator-ponymail-foal/issues/45#issuecomment-857615126
It may be worth noting that [RFC 8617 § 4.1.2](https://datatracker.ietf.org/doc/html/rfc8617#section-4.1.2) says: > To preserve the ability to verify the integrity of a message, the > signature of the AMS header field SHOULD include any DKIM-Signature > header fields already present in the message. Which means that if an ARC hop adds its own `dkim-signature` this would be detectable if it follows the advice of the ARC RFC. Furthermore, each hop must use an incremented instance tag, defined in [§ 4.2.1](https://datatracker.ietf.org/doc/html/rfc8617#section-4.2.1) _ibid._ as follows: > Instance tag values are integers that begin at 1 and are incremented > by each addition of an ARC Set. Through the incremental values of > instance tags, an ARC Validator can determine the order in which ARC > Sets were added to a message. In conjunction, these two points mean that it should be possible to determine which DKIM and ARC headers were added on each ARC hop, but only when the advice to include the `dkim-signature` header to the `arc-message-signature` was taken. Also this applies only for ARC hops, and not when DKIM is added without ARC. It should be possible to write code which, when the original mailing list manager signing identity is known, determines a message compatible with the one used by the mailing list manager for DKIM-ID generation. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
