On Thu, May 8, 2025, at 05:14, Taavi Eomäe wrote: > Hi, > > On 07.05.2025 00:57, Wei Chuang wrote: > > I put out the "certification" process as a strawman to see if such > > flexibility for arbitrary modification by a "trusted" security way is > > of interest to the community. Looking at the other similar reply as > > well, it sounds like no, this is a bridge too far. As mentioned in my > > original description, the likely other avenue is for such forwarders > > to take full DKIM2 "ownership" of the message when modified. And > > another likely alternative is to ask such security gateway providers > > to not modify messages that are meant to be forwarded. > > -Wei > > While it's a valid use-case and I don't want to rain on your ideas, it > fundamentally seems like a trust question outside of something a > standard process could hope to dictate. Akin to VMC/BIMI. > > While it would not be entirely bad if DKIMv2 could also replace ARC, but > if if it boils down to trust, we'd all still have to maintain a trusted > modifier list the same way we do for ARC. If it could be automated, we > wouldn't be speaking of arbitrary modifications. Plus ARC is already > here and should do the job asked.
I am very keen for DKIM2 to replace ARC. It already needs to do pretty much everything that ARC does in order to have the other properties we want from it, so doing that in parallel with ARC for any length of time is over complexifying the stack, and I'd prefer to deprecate ARC as part of DKIM2. So if there's anything ARC currently does better, I'd want to see if we can implement that into DKIM2 as well. One case that has already been discussed is the signed Authentication-Results headers, and I would be very keen for a `DKIM2-Authentication-Results: i=<n>; ...` header to be defined and included in the signature in the same way that ARC has it - potentially as a separate optional document since DKIM2 would work without it, and if we define that any header starting with DKIM2- is only signed for copies with i= same as or lower than the current DKIM2-Signature number, then it's easy to add if you want. Bron. -- Bron Gondwana, CEO, Fastmail Pty Ltd [email protected]
_______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
