Thank you for taking the time to answer my questions - most appreciated. Your answer has addressed questions 1 and 2 for me. I'm still unclear on certain aspects of question 3, though:
On 11 Mar 2024 at 8:54, Murray S. Kucherawy wrote: > The signature is the result of base64-encoding the RSA encryption of > the data-hash. > > The data-hash is the result of passing the canonicalized headers, in > order, to the SHA algorithm. The canonicalized headers include, at > the end, the incomplete DKIM-Signature field that's under > construction. You then append the base64-encoded form of that > signature to the incomplete DKIM-Signature field and attach it to the > message. The pseudocode for "sig-alg" says: signature = sig-alg (d-domain, selector, data-hash) I took this as meaning that the d-domain and selector strings need to be passed to something before the data-hash; the problem was what that "something" was - I had been assuming that it was a third hash that was then signed, yet the rest of the section says (in more than one place) that only two hashes are required. Having read through your response, which describes the process as I was originally expecting to follow it, I now wonder if this is another case of the pseudocode having confused me as it did in question (1)... Are we perhaps intended to read "d-domain" and "selector" as parameters that are used to choose the appropriate signing key, rather than as input to the signed data itself? Again, my thanks for your help. Cheers! -- David -- ------------------ David Harris -+- Pegasus Mail ---------------------- Box 5451, Dunedin, New Zealand | e-mail: david.har...@pmail.gen.nz Phone: Number provided on request only. Sign seen in a Vienna hotel: "In case of fire, do your utmost to alarm the hotel porter." _______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim