-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <CAAFsWK1mfEBLMZuD5n9iYG+K4-SMhA_sRKe2JHXwW+yOFb- [email protected]>, Wei Chuang <[email protected]> writes
>These are requests for clarification for draft-clayton-dkim2-spec-04 ><https://datatracker.ietf.org/doc/html/draft-clayton-dkim2-spec-04>. OK >There are three major areas that potentially need more specification as >they call into question some of the replay protections that motivated this >effort. It is also possible that I haven't kept track of all developments >on this mailing list so I would be happy to be corrected and that my >concerns are unfounded. > >First, one of the key features to prevent replay in a precise way is the >"mf=" and "rt=" comparison, however the current specification lacks >comparison of the local-part as far as I can tell. I have rewritten this to clarify that the recipient of a message needs to immediately check that the most recent DKIM2-Signature header field has rt/mf values that match exactly with what was specified in the RFC5321 conversation. "Exactly" is a bit subtle for rt= since we now allow multiple RCPT TO For checking the "chain of custody" local part does not matter (and we allow sub-domains to match) >Second, the verifier specification calls for checking the most recent >DKIM2-Signature but does not describe validating the remaining of the >DKIM2-Signatures or Message-Instances. I have posted about what is needed already ... let's see if my new version of document is precise and clear enough :) >Third, there should be an alignment check between the "mf=" and "rt=" >domains and the DKIM2-Signature d= domains. I think you mean just with MAIL FROM ! > Ideally the domain names are >matched with some allowance subdomains i.e. "relaxed" matching. For a >given DKIM2-Signature at some "i=value", the "mf=" should match the "d=" at >that value, and the "rt=" should match the "d=" for "value+1" if that >DKIM2-Signature is present. We already require mf/rt to match (in a relaxed way) so if mf= and d= match then I think that is already covered - -- richard @ highwayman . com "Nothing seems the same Still you never see the change from day to day And no-one notices the customs slip away" -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBaUxMzmHfC/FfW545EQJwbACdFtPzBvFLtdzv6EwsORjXbzLgjs8AoMJA FjcvnuQ7t9lkRy53f2isXBbu =6ojl -----END PGP SIGNATURE----- _______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
