On Thu, 11 Jan 2007, Dave Crocker wrote:
1. How are folks deciding what fields to sign?
Our current implementation signs all headers by default, but you can
select your own list as an override. However, it will always include
From, Date, Subject, Sender, Resent-From, Resent-Sender, and all Content-*
headers regardless of the list you give it. I came up with that set on my
own.
I'd have to think about it for a while to recall why that particular list
was chosen.
2. To what extent do we care about different signers choosing different
fields to sign, in terms of how to process a validated signature?
Our implementation currently doesn't check. However, it does have the
option to note that "l=" is in use, and require that a fixed minimum
volume or percentage of the message was signed (e.g. "don't accept a
message which was only 10% signed").
That logic could easily be extended to say "don't accept a message which
contains an unsigned X, Y or Z header", which leaves the control of those
requirements in the hands of the verifier. I'd be inclined to have that
list default to From, Date and Subject, but be configurable to require
additional headers.
-MSK
_______________________________________________
dkim-dev mailing list
dkim-dev(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-dev