On Tue 15/Jul/2025 17:01:14 +0200 Hannah Stern wrote:
Hi!
How about multiple b=, like this:
DKIM2-Signature: i=1; d=example.com; b=hash1:signature1:selector1;
b=hash2:signature2:selector2; ...
I.e. allow multiple b= and combine bh and selector into the signature (bh too
as to allow for different hash algorithms as determined per selector)? The
format itself could be without hard format-defined limit, but the standard
should probably set technical limits (signers MAY NOT add more than 10
signatures, verifiers SHOULD accept up to 10 signatures, or something)?
Or
bh1=hash1;bh2=hash2;b=1:signature1:selector1;b=1:signature2:selector2;b=2:signature3:selector3
So hash values can be reused if the hash is the same for 2 signature schemes
(like rsa-sha256 and ed25519-sha256) but could eventually be different for a
third one (say, somepq-sha3)? The numbers directly after b= would reference the
digit suffix for bhN.
There seems to be some confusion on field names. Isn't b= the actual
signature? And bh=? The body hash ought to be the same for all signatures.
For yet another idea, why not enclose each signature in its own comment?
i=1; d=example.com; bh=EbhL2B19OrE...; (s=alfa, b=BgHNOO...; h=List-Archive);
(s=beta; b=ChNOPQ...); (s=gamma; b=DiORj...; h=X-Conspiracy); t=1752591685
Best
Ale
--
_______________________________________________
Ietf-dkim mailing list -- [email protected]
To unsubscribe send an email to [email protected]
