(I'm sending an independent copy of this note to the dkim-dev mailing list,
because I'm not sure which venue is the better choice. -dev has the more focused
group, but the topic of this note probably has a larger implication, so that
ESTG might permit broader representation of views. So, apologies if you are
getting this twice and bigger apologies if you are not a member of the ESTG
group.)
Folks,
One of the basic points of flexibility in DKIM is permitting the signer to
declare a subset of headers that is part of the signature. (h= specifies the
list.)
This allows the infrastructure to add/modify other header fields, with no impact
on the verification. However it also opens the door to insufficient or
incompatible signing. I sign a few fields, and you validate as if there is a
robust protection of the headers. I sign a few headers and you sign a lot, with
little overlap between our sets; should the validator treat validation of our
two messages the same?
So,
1. How are folks deciding what fields to sign?
2. To what extent do we care about different signers choosing different fields
to sign, in terms of how to process a validated signature?
3. ...?
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
dkim-dev mailing list
dkim-dev(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-dev