On Mon 09/Jun/2025 18:20:23 +0200 Dave Crocker wrote:
On 6/9/2025 8:30 AM, Alessandro Vesely wrote:
Here DKOR is going to differ from DKIM2 as the older signatures, once broken,
can no longer be verified. DKOR is more similar to ARC in this respect.
I don't understand this assessment, but suspect it comes from trying to compare
all of DKIM2 with DKOR, where DKOR is actually only comparable to a component
of DKIM2.
Yes, to the extent that the ability to recover older signatures allows for
detecting maliciously added fake signatures. This is possible with DKIM2 but
not with DKOR.
It's like saying that an aircraft has engineX and someone suggests instead
using engineY, but then evaluating the choice by comparing the entire aircraft
against engineY.
This seems to be another example of the problem with calling it DKIM2, since it
has a much, much broader scope that DKIM. And in fact, it's details that fall
within the scope of DKIM itself are relatively minor.
Agreed. However, just like the anti-replay feature can be backported to DKIM1,
so too can the difference module that allows to verify older signatures.
Best
Ale
--
_______________________________________________
Ietf-dkim mailing list -- [email protected]
To unsubscribe send an email to [email protected]
