On Wed, Jul 8, 2020 at 1:08 PM Dotzero <dotz...@gmail.com> wrote: > > That seems to imply DKIM, which relies on DNS and cryptography, is LESS >> heavyweight than reversing text transformations, which relies only on the >> local CPU and memory and probably arithmetic. I'm not sure I agree. >> > > Once you reverse the transformations you would still need to do the DKIM > lookup to validate the reversed text that was signed. Simply reversing the > transformations without validating doesn't give you much of anything useful. >
Of course, but both DKIM signatures will be validated with or without this proposal, which requires processing the entire message body anyway. A sub-optimal flow might be: - validate the MLM signature; it passes - validate the author domain signature; it fails - notice the MLM signature (which validated) has a "tf=" tag saying "subject,footer" - search the body backwards until you find the delimiter, and toss away everything after that, which undoes the "footer" - un-mutate the Subject - re-validate the author domain signature (you don't have to repeat the DNS stuff, it's cached); it (in theory) passes <hand_waving> You could maybe do clever tricks like notice that "tf" is there and apply the reverses inline as you process the author signature, saving you a repeat verification pass. </hand_waving> In any case, now you know the same thing ARC told you, but you didn't have to do more crypto than just the two DKIM signatures than you were going to do anyway, and you avoid larding the header as ARC does. I have less confidence in the expense of the MIME un-transformations because I've never implemented them specifically. I could take a run at it but there are probably libraries out there that do a better job than I would. -MSK
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
