On 11/23/20 11:28 AM, John R Levine wrote:
From what I can tell, the main thing that ARC is doing is binding an
auth-res to a dkim signature-like thing. But as I recall -- it's been
a long time -- there were ordering requirements ala received headers
for where new dkim-signatures and auth-res go in the header. Assuming
my memory is correct, that means you can reconstruct "what this
looked like before i messed with it" already by signing the incoming
auth-res as part of the new DKIM signature.
Is there something more going on here?
Not really. There are ordering rules but mail systems do not follow
them reliably, DKIM signatures in practice are not ordered. Also, A-R
can be deleted in some situations, so ARC makes copies of them to be
more robust in transit.
If auth-res is sometimes deleted, why wouldn't we expect the arc
auth-res to not be deleted too?
I imagine that the vast majority of intermediaries that break signatures
number exactly one extra domain, so it's not very hard to reconstruct
the chain of custody from origin to destination. Assuming the
intermediary resigns with the incoming auth-res, the destination can
choose to believe that auth-res or not, right? Since this is an
experiment, do we have an idea of what the rest of the problem is after
the typical mailing list-like signature breakers are excluded?
Mike
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc