On Tue, May 6, 2025 at 2:54 AM Taavi Eomäe <[email protected]> wrote:
> Hi, > > On 05.05.2025 21:29, Wei Chuang wrote: > > One idea is to ask receivers to fully trust the security gateway as > > the modifications done are to protect the receiver's users with best > > effort by the gateway. > > In this case ARC would be the only correct solution. > > While DKIMv2 might provide some theoretical possibility of reversing the > transformations, in my humble opinion such absolute requirements of > trust make it too hard to figure out how in theory (if at all) DKIMv2 > should be changed to accommodate. > > And as such, any gateways should not be directly accounted for in the > standard. In the same exact way as we've learned with TLS(v1.3), not to > accommodate middleboxes unless absolutely necessary to let traffic pass > through. > > This "certification process" is akin to adding random security appliance > root certificates to people's trust stores. It should not be done. > I put out the "certification" process as a strawman to see if such flexibility for arbitrary modification by a "trusted" security way is of interest to the community. Looking at the other similar reply as well, it sounds like no, this is a bridge too far. As mentioned in my original description, the likely other avenue is for such forwarders to take full DKIM2 "ownership" of the message when modified. And another likely alternative is to ask such security gateway providers to not modify messages that are meant to be forwarded. -Wei
_______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
