On Fri, Jun 20, 2025, at 03:00, Alessandro Vesely wrote: > On Wed 18/Jun/2025 23:15:37 +0200 Bron Gondwana wrote: > > Note that we're still signing each recipient individually. Then if Sheila > > has > > a forwarding rule, it only keeps her i=1 header, so that forwarded message > > would contain: > > > > DKIM2: i=1; [email protected] [email protected]; d=example.com > > DKIM2: i=2; [email protected]; [email protected]; > > d=example.org > > > This point relies entirely on the good faith of the forwarder. A malicious > replayer would put a different signature, in order to confuse the attribution > of reputation.
How? It's not like they can just arbitrarily make up a signature. My examples here elide a bunch of crypto stuff which you can't actually create without having a key in the DNS for example.org, and unless you own example.org, you can't create that. If you DO own example.org and you're the malicious forwarder then you're tanking your own reputation. That's the point. And if you're some bad third party who somehow got a copy of this message, you can replay it to [email protected], but you can't replay it to someone else. If you're NOT example.org and you're replaying this message, your signature won't align with the i=1 message from Alice, so you won't be able to pretend that the message came from her in the first place. > Isn't it possible to explicitly request the previous rt=? That is, to have: > > DKIM2: i=2; [email protected]; [email protected]; d=example.org Sure. You could do that. I don't know what you mean by "explicitly request". There's no "request" here; unless you mean "request that bounces be sent to". I would expect most sites to have a dedicated bounce handling address rather than process bounces sent back to the fowarding target, but that's entirely up to the implementation. > This solution also relies on the good faith of the forwarder, but is simpler > as > it doesn't require separate signatures. I don't understand what you mean by this at all. There's no assumption of good faith, there's assumption of "you can't create one of these unless you have a key". That's an assumption based on the mathematical soundness of the cryptographic algorithms we use. Bron. -- Bron Gondwana, CEO, Fastmail Pty Ltd [email protected]
_______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
