On Aug 2, 2010, at 3:37 PM, Rolf E. Sonneveld wrote:
Hi, all
in the light of the discussion about draft-ietf-dkim-mailinglists I'd
like to propose an alternative way to solve the MLM dilemma on how to
deal with original DKIM signature/message versus sending out a modified
version of the message. This proposal may be impractical or hard to
realize, but I'd just thought I had to share it with you.
The proposal is to preserve the original message + DKIM signature and to
add the new (probably partially rewritten) output message, combined into
a multipart/alternative structure. The combined message is sent by the
MLM to the recipient. For the original message + DKIM signature, we
could register a Content-Type of e.g. message/dkim-original-message with
IANA. The output message would be the other part of the
multipart/alternative, with the normal MIME structure of the MLM output
message. A sample message sent by an MLM (or more in general, by a
re-signer) would look like:
Does this mean that anyone can take their own content and
a message DKIM signed by someone else, and then send it out
such that their content will be displayed, but the (non-displayed)
signed message will be checked?
If so, this seems like exactly the reply attack that DKIM was designed
to prevent.
Cheers,
Steve
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html