On Tue, 19 Aug 2025, Andrew Gallagher wrote:
I see how you could use it to wrap S/MIME (that's CMS) but I still don't see
how you would wrap DKIM in any way that makes sense.
To be clear, neither do we. This proposal does not operate at the same level of
the stack as DKIM,
and it does not target the same problem space as DKIM. It does however sign
over (a subset of) the data that DKIM signs over, which is where the suggestion
for (partial) alignment arises.
But it seems to me you could say the same thing about PGP and S/MIME and I
don't know anyone trying to combine them even though they're semantically
a lot closer.
There's been a great deal of confusion (not by you) between the outer
headers on a message and the copy wrapped inside a MIME part that this
scheme signs. As I have said several times, the kinds of header changes
that DKIM tries to deal with are unlikely to happen to wrapped headers
since no MTA I know looks inside a MIME part for extra headers, so
canonicalization isn't relevant.
It's possible that the change algebra might help messages survive mailing
lists, but it is my impression that lists tend to pass MIME messages
through as is, perhaps wrapping them in an extra layer of
multipart/something which an MUA receiving the unobtrusive signatures
should still be able to handle. If that's the goal, it'd be a good idea
to be clearer about what problem you're trying to solve, keeping in mind
that there is no promise that the mutated message bears any relation to
the original and one of our open questions is whether there's a
straightforward way to say how much change is too much.
DKIM's key distribution is deliberately kind of weak because the
signatures are only intended to sign messages in transit and be looked at
within a week or two. (I realize that few people rotate keys and it's
often possible to check signatures a lot later, but that's not the
intent.) Personally I don't think it's a good idea to try to put PGP keys
in the DNS, but if you want to do that, RFC7929 says how you can do it.
So I still don't see any useful combination, which is why I keep saying if
you think this is useful, write a draft so other people can see what you
are proposing.
R's,
John
PS:
(FYI your MTA is rejecting connections from mine. RBL problems?)
Hetzner's IPv4 networks send so much spam that it's not worth trying to
pick out the trickle of normal mail.
_______________________________________________
Ietf-dkim mailing list -- [email protected]
To unsubscribe send an email to [email protected]
