At 11:27 27-04-10, Alessandro Vesely wrote:
At any rate, all what I'm trying to say is that a few certified
fields, e.g. "From:", "To:", and "Date:", are more useful than a
broken signature, in most cases.
Yes, they are. RFC 4871 describes what is being covered by the DKIM
Signature. For the sake of the discussion, I'll overlook that. It
would be good to have these fields certified by limiting the DKIM
signature to cover them only. There are cases where we will still
end up with a broken signature though. In a one to one exchange,
let's presume that the message won't be reinjected. It's different
for an open mailing list as you any of the subscribers can reuse what
has been certified and add their own content. In simple terms, you
are providing a blind certificate by only (DKIM) signing those fields.
We could use this blind certification for one to one exchanges. If
the recipient's account or any of the hops through which the message
transits is compromised, there will be abuse. That's already
happening by the way. I would caution anyone against using such a
certification for mailing lists as they will be providing a means for
anyone to affix their DKIM signature to new content. I am not
recommending "l=0".
Regards,
-sm
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html