Murray S. Kucherawy wrote in <CAL0qLwZ_5HmYeAzn+d-yH-BEbL08oH5=3ixztpaeioxzpyp...@mail.gmail.com>: |On Thu, Apr 17, 2025 at 2:47 PM Steffen Nurpmeso <[email protected]> \ |wrote: | |> This only survives because DKIM specifies ~"one successful |> verification is enough". It is a shame given that other |> mailing-lists ensure the original==broken signature is removed or |> renamed, but not even a bug report can change the situation for |> IETF lists! This makes me sad. |> |> [...] | |I give an example, here Jim Fenton's last message. Sorry for |> that, but i filter out my own (on ingress): |> |> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d= ... |> Consciously broken by the IETF. But many verifiers will try it |> first, and can only fail. For ACDC i would want to avoid that, |> somehow. It is -- sorry moderator -- total brain damage, is it?? |> (And noting that, in my personal opinion, including List-* for |> sealing in an initial private DKIM signature is .. interesting.) | |Sorry, what broke here? The signature itself isn't enough to understand.
I would think the [Ietf-dkim] Subject: tagging. Subject: [Ietf-dkim] Documents in Call for Adoption (Disclaimer: i have actually not tried to verify the original signature, but Subject: tagging was already part of this thread.) |If there's something the IETF's list servers are doing wrong, we can ask |the tools team to look into it. | |But let's not bog down this WG with that discussion. Ok, .. but it is part of the problem, and it somehow needs to be addressed, and best (imho) not only "on the island of the happy". |And then: how could my domain *know* that it was the IETF list |> that broke the signature? I know its DKIM signature is correct, |> but i would not know, i could only believe that Jim Fenton's |> initial DKIM signature was correct, too. Now his signature is |> still in, and broken, while he is still "RFC5322.From". |> (And hey: he *sealed* List-* headers!!!) |> | |If Jim's server is signing List-* fields for a message that hasn't gotten |to a list yet, that seems like it guarantees this message will have DKIM |problems. But again, that's not really on topic for the current |discussions. Maybe it was conscious to cause problems even? All that is definitely part of the problem. In that an iterated DKIM will solve this easily (as only the newest signature is tested "normally", and elder things are only tested after applying differential changes). But all other existing software will fail. Greetings! (I had not received the other one, sorry!) --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) _______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
