On Wed 07/Dec/2022 18:49:47 +0100 Laura Atkins wrote:
On 7 Dec 2022, at 17:16, Barry Leiba <[email protected]> wrote:
The purpose of a DKIM signature is, as our original statement put it, to make sure that a message from your
bank actually came from your bank, even if it passed through your alumni association. Once it arrives to your
real mailbox, that signature is not needed.
As long as the signature is not removed in the alumni case I'm
somewhat less concerned, but...
In some systems, sieve scripts and other filtering is done *after* the
MUA drops the message in the delivery mailbox. If that drop removes
the signature, that hampers the sieve/filtering process severely. A
sieve "redirect" becomes impossible, and the filtering would not be
able to use the DKIM signature for other purposes either (though it
might be able to rely on the auth-results header field for some
things.
That's what concerns me.
Maybe there’s a split the baby piece where part of the signature is stripped.
I’ll be honest, the only bits I really look at are s= and d=. Maybe stripping
part (bh?) while leaving the useful bits is a solution.
Isn't it the MDA which runs sieve filters? Transparent forwarding is
harder for a MUA, as it usually has to go through Submission protocol,
which can change a number of message details.
RFC5598 distinguishes between hMDA and rMDA, delineating a logic point
where a message transits from a state where it can still be forwarded and
one where it's bound to local delivery.
Of course, that is not going to address the replay attack problem at all.
Agreed.
Best
Ale
--
_______________________________________________
Ietf-dkim mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf-dkim
