>On Wed, Jun 11, 2014 at 7:15 AM, John Levine <jo...@taugh.com> wrote: > >> Right. So if you don't want people using unforwarded weak signatures >> for reputation management, you need to put something into them so that >> old clients don't accept them as signatures and ignore the t= tag. >> Either call them something other than DKIM-Signature, or do a version >> bump to v=2. >> > >I'm not clear on the case you're describing. Can you mock up an example? > >Also, isn't it "x=" that's interesting here, not "t="?
Someone sends off a message to a mailing list with the two DKIM signatures and DKIM-Delegate. Someone else, perhaps a list subscriber, notes that the weaker signature doesn't cover the body, so he replaces the body with nose enlargement spam and blasts it out. Recipient MTAs which haven't been updated since 2014 and don't know about DKIM-Delegate see the weak but valid signature and since the signer has a generally good reputation, delivers it. Ugh. This hasn't been a problem before. Although you've always been allowed to use weak signatures, there's been no advantage to doing so, so nobody did. Now you do, but with new semantics that you shouldn't pay much (any?) attention to that signature unless it's paired with the forwarder's. One could make an argument that it's not technically a semantic change to DKIM (indeed, Dave just did), but in practical terms, it is likely to interact poorly with existing unupgraded software, so I'd want a version bump so that the old software ignores the special purpose signature. Bonus question: why put the author domain and target domain fields in a new header rather than just addding ddd=<author> and ddt=<forwarders> to the signature header? R's, John _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc