On Wed, Aug 9, 2023 at 3:14 PM Steffen Nurpmeso <stef...@sdaoden.eu> wrote:
> And couldn't it become standardized that verification results then > must be included in future DKIM signatures? > So then a verifier inserts a RFC 7001 header, and that will be > covered by a further DKIM signature. > Aren't you basically describing ARC here? > And when a mailing-list or so changes fields, it could create > a "DKIM-Backup: h1=b1, h2=b2, .." where b1 could be base64 encoded > (gzip compressed), so that the original values could be restored. > It should be straightforward and easy to handle this for the few > headers like Subject:,From:,Sender: and not much more to come > which are normally the culprit of problems. And that to be > included in a further DKIM signature. > A DKIM verifier can then restore the original content and verify > it accordingly. > > This all not today, but the road is not that long and winding. > Even if you could revert header field values to their signature-time content, it's what's there now that gets shown to the user. So if I have a DKIM-Backup field that lets the original DKIM-Signature validate, but the new Subject has a spam URL in it, then I'm using that signer's domain to show you content they didn't intend. It's the same problem, isn't it? -MSK, participating
_______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim