On 4/28/19 11:35 AM, John Levine via mailop wrote:
Oversigning those headers is silly.
Oversigning may be /silly/. But it's still the sending site's choice.
Let's say you send out a DKIM signed message without Sender and List-Foo, and then an extremely malicious mailing list grabs your message and adds those headers and forwards your message without breaking the DKIM signature, which means the list didn't change the subject or the message body.
But they did modify the message and they did send it somewhere that I did not.
What's the worst that could happen? Someone is lead to believe that you subscribe to a list that you don't? Oh, nooooooooo.
What's the worst that can happy if I use your name when ordering a sandwich at a local eatery? Not much. But the fact remains that I shouldn't use your name. Nor should someone modify my message.
Then there's also the slippery slope of what headers is it okay to add? Why is it okay to add them? Why is it not also okay to add other headers?
IMHO headers other than those required as normal email operation should not be added. Particularly while pretending to be the original sender.
Create a new message based off of the message that I sent, and represent yourself, and I'm cool.
As Bill C. explained, Exim is just wrong here.
So what. The sending site is allowed to do what they want to do. IMHO ignorance of what is being done is a bigger problem than what is done. Thankfully, the ignorance of what is being done is easier to solve. :-)
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
