[ietf-822] A permission to re-sign header

["John Levine" <johnl@taugh.com>]

As I understand it, the original sender puts a hard to forge single
use token in the message, which the forwarder can include in the
signed message.

Since I am lazy, I will reuse DKIM key records and invent a new
May-Resign header something like this:

May-Resign: f=marissam@yahoo.com; r=ietf.org; s=foo; a=rsa-sha256; \
   t=1397786669; b=hashhashhash

This is a permission to re-sign for a message From:
marissam@yahoo.com, to be re-signed by a mailing list at ietf.org. The
s= and a= and t= are the same as DKIM, the b= is a signature of a hash
of the M-R header, similar to the b= signature in a DKIM-Signature.

The relay includes the M-R header in the DKIM signature.  So now
we modify DMARC to say that

IF there is a M-R header with f= that matches the From: line address,

AND the M-R header is included in a DKIM signature that is signed with
d= that matches the M-R r=

AND the M-R signature validates using the s= selector and f= domain

AND the t= isn't too old (for some meaning of too old)

THEN the message is considered to be aligned.

Is that the general idea?

You could put an M-R header on anything, but if you want to limit it
to mail to addresses that claim to be mailing lists, you could use the
same name convention as the DANE S/MIME draft, with hashed mailboxes,
e.g.:

<hash of ietf-822>._mayresign.ietf.org TXT "v=MR1; d=ietf.org"

That says the ietf-822@ietf.org list is signed with d=ietf.org.  If a
domain contains only mailing lists, you can use a wildcard

*._mayresign.lists.iecc.com TXT "v=MR1; d=lists.iecc.com"

R's,
John