ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] detecting header mutations after signing

2010-10-08 15:32:02
-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org 
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Wietse Venema
Sent: Friday, October 08, 2010 1:16 PM
To: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] detecting header mutations after signing

What I describe would be a best practice application of DKIM
mechanisms that already exist.

Mail is signed as if there are N+1 instances of each header that
is covered by the DKIM signature.  The verifier will then fail if
any such header is added after-the-fact.

With this, there is no need to rely on enforcement mechanisms
outside DKIM, such as the correct implementation of RFC 5322.

I would suggest constraining that to include only those fields that are 0-or-1 
in RFC5322 Section 3.6.  For example, doing this with Received: is begging for 
signature invalidation on otherwise unaltered messages.

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>