Douglas Otis wrote:
What /was/ discussed was the possibility of doing a signature that
would validate before DATA. This merely requires a signature that
does not cover the body.
DKIM has split out the body hash from that of the header fields, but
that only permits hashing the message body later. Not much saved there.
The current framework payoff would be to use POLICY at the data level
simply because most of its potential benefit DOES NOT require rehashing.
It would be a form of Query Dissemination Filtering Technique -
removing the obvious as fast as possible.
- DATA analysis after <CRLF>.<CRLF> and before response:
# ADSP RULE (No Rehash Check)
if 5322.From Domain ADSP has DISCARD and there
is no (physical) signature REPLY WITH 551
# ADSP RULE (Message BH= Rehash Check)
if 5322.From Domain ADSP has DISCARD and the
BH= REHASH fails REPLY WITH 551
# LOCAL POLICY RULE (No Rehash check)
if 5322.From Domain ADSP has ALL and there
is no signature and Local Policy
__XYZ_____ Detected State (SPF),
then REPLY WITH 551
In other words, to make it scale it is possible to apply these low
overhead rules at this DATA state. The information is there. BH= would
be small overhead.
It is possible to do a B= rehash check also:
# ADSP RULE (Message B= Rehash Check)
if 5322.From Domain ADSP has DISCARD and the
B= REHASH fails REPLY WITH 551
But that means you need the entire body and it might not scale for
many mid to large sites without load balancing, fast hardware and
highly optimize DNS operations. Smaller volume sites can afford to
this though.
--
HLS
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html