As you probably noticed some of email signing proposals (IIM, MTA Signatures
and other S/MIME based proposal) duplicate important email headers as part
of the signature itself and than create hash of that copy. It occurs to
me it maybe possible to unify this in some way by creating kind of standard
header duplication standard. In fact the simplest I can think of is just
copy the entire header with standard "prefix" in similar way I did it
when creating set of "Original-" headers as described in
http://www.elan.net/~william/emailsecurity/draft-leibzon-emailredirection-traceheaders-00pre03.txt
So lets say we want to make sure the signature survives if Subject and From
are changed, then we copy the headers into "Duplicated-Subject:" and
"Duplicated-From:" in these are not "normal" headers but are considered
trace headers, like Received - so they are not to be modified by subsequent
systems. Now its a lot easier for email signature standard because all its
need to do is to create hash of all trace headers rather then creating
specific list of headers to be signed.
Note that we will still need an option in signature system to be able
to specify additional headers if in the future we add new trace headers,
in fact specifying headers can be done same was as in DK if we allow
for specifying set of headers with same "prefix".
P.S. The prefix name "Duplicated-" is just example, I've no idea what is
good prefix name to use for something like this, if you have good name
for it, please say so.
---
William Leibzon, Elan Networks:
mailto: william(_at_)elan(_dot_)net
Anti-Spam and Email Security Research Worksite:
http://www.elan.net/~william/emailsecurity/