On 11/27/2022 5:48 PM, Murray S. Kucherawy wrote:
Post-delivery survival of the signature is not only not a goal, it is
arguably (or possibly demonstrably) a problem.
Can we say more about this if we're going to take that position? A
naked "not a goal" doesn't jive with RFC 4686, which explicitly says
it is a goal, or at least that it was one.
Hmmm. Having looked through the RFC, for every occurrence of
'delivery', I don't see an obvious statement indicating it is a goal.
I /do/ see a reference to wanting DKIM evaluation to be at the MDA or
MUA. Saying MUA does, obviously, imply surviving past formal delivery.
Hmmm...
I guess that means it comes down to making an argument about what
experience has shown us: Does Barry's use case, plus the Thunderbird
plug-in use case, together carry more weight than the perceived
problem that replay causes?
Also, a reminder that the WG hasn't actually rechartered yet; maybe
some of these debates should wait until that's happened.
Barry's use case is arguing for having the signature survive a
re-posting. I think that is definitely /not/ a goal that DKIM had or has.
Navigating this, therefore, isn't as simple as one might wish, if
recipient MUA evaluation is required, but surviving a re-posting isn't.
As far as I am aware, DKIM validation by a recipient MUA does not
constitute a measurably significant portion of DKIM use and I assume it
is of essentially zero operation benefit, in statistical terms. Yes,
some MUAs can do the validation, but as we keep seeing, this sort of
information has no effect on end user behavior.
Going back to an earlier posting, I noted that a site that removes the
signature as part of delivery could provide an option to retain it.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker@mastodon.social
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim
