Taavi Eomäe wrote in <[email protected]>: |Hi,
Hello. I just watched Stalker by Tarkowki for the first time in my life, and discovered Eduard Artemjew thus. (Klaus Schulze fan here.) We know nothing here, really. Also from each other. Wow. |On 09.01.2026 20:07, Steffen Nurpmeso wrote: |> Given that collected RFC 5863 "organizational trust" can be |> nothing but a volatile thing, any user could, and if by accident, |> when playing around, out of boredom or juvenile horniness, like |> creating a header with a base64ified image, for example porn (ok, |> there is Wikipedia with lots of images, and all that, but..), |> that is caught and hard cut by a spam checker, declassify the |> reputation of the entire domain? | |I don't see how that differs from any other user-controllable input |being signed. A spam checker of such poor quality would likely do so |even without the headers being signed. Well one is visible, the other not. There is plenty in the headers. Also, in theory, MIME parts could be selectively handled (if i recall Gondwana did that, actually, i will not), whereas the "main" header is single instance. |I think this fear is too hypothetical and conditional compared to the |real-life attack vectors caused by current DKIMv1 implementations being |too conservative with which headers they sign. Future iterations should |at least not repeat past mistakes. Two things i want to say. First of all, the RFC of v1 is absolutely sufficient. Noone can misunderstand that; if i recall correctly the defaults of maintained software except for the OpenDKIM that responsible parts of the IETF created and which later was turned into abandonware -- that (buggy) thing was the only software which does it wrong. *That* is the only truth about that. Engineer-wise, no. User-wise, people may do it "wrong" consciously. For example i quoted covered header lists of Microsoft on this list in the past, which must have been a conscious decision of a costly american high-value degree, or even a group thereof. Like Chet Ramney of the bash shell (number one shell in Unix world i would think) said ~"this is a sharp weapon, and if you want to shoot yourself in the foot, noone hinders you". I do not dream of a perfect(ly) engineer(ed) world, this will not happen, everybody with just a short time of real-life experience knows that, even "lowest bidder" aside. *Unfortunately*, yes. Second. You omit in your quotation the fact that the current draft of this working group defines rules which piss in the face of all the people who obeyed IETF outcome, aka rules aka "best common practice", that has been in the world for over a decade, consciously or not! Today this and tomorrow that, just as this many-people WG likes it to make todays' daydream the nicest possible? Congratulations. No, that "X-" stuff not, it is nothing but insulting!?! Letting aside that the fat IronPort mess is then included. MGA, Spam, Received-SPF, Authentication-Results, Original-, Thread-, and many more volatile rubbish that noone needs. No. You are too humble; but you are selective, too, and in a way that surely does not embolster the quality of what this WG is going to implement. Imho, of course. But i agree, maybe it is superficial to complain on headers while having no solution for tracelessly removed MIME parts myself. (And not planning to define one.) *However*, noone knows who removes which of all those fat headers on ingress, except maybe for Authentication-Results or other headers for which the IETF itself defines "sorts of remove rules". Somewhere, in one of the thousands of documents. I *do* remove certain ones ingress. And would like more to vanish, only having not coded it yet. Or not released. For ACDC, in any case, we take the normal DKIM v1 rules, stricten them regarding MIME (and if only for an iterated OpenDKIM, that they get it right this time), and add on top a revision-counted IANA registry. If i would define a DKIMv2, i would do so too, i would use abbreviations to shorten the standard names when present (also in groups, like L=.. for lists), and, after a separator, add a list of user defined free-form headers. I mean come on. Real-life attack vectors!! That is just very bad!! --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) _______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
