On 4/22/2025 1:25 AM, John Levine wrote:
Except that as Dave notes there's no way within existing DKIM to verify that the envelope addresses in the headers match the actual envelope addresses, nor to require that the signing domain match the sender address, nor that the signatures form a linked chain, as described in Bron's draft.
Right. If a receiver has not upgraded to support DKOR, they will do a basic DKIM validation and, presumably, it will succeed. As receivers add DKOR support, they will get the intended value-add of Replay detection.
It appears that you are seeing the ability to have incremental adoption as a deficiency.
If we went down this road there's no way other than heuristics to tell whether a particular signature or chain of signatures is supposed to be old DKIM or new DKIM,
The presence of either or both of the DKOR-related header fields in the list of covered fields self-declares the presence of DKOR.
Please explain how that is a problem.
nor what it means for an old DKIM verifier to handle the parts it recognizes in a new DKIM signature.
I do not understand what problem you are seeing. Please clarify with more detail.
d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net bluesky: @dcrocker.bsky.social mast: @[email protected]
_______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
