IETF Logo Mail Archive

Re: [Ietf-dkim] Headers that should not be automatically oversigned in a DKIM signature?

Hector Santos <hsantos@isdg.net> Mon, 05 February 2024 16:03 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8469CC14F6B0 for <ietf-dkim@ietfa.amsl.com>; Mon, 5 Feb 2024 08:03:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b="kj6xDt3v"; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b="yyEbecN6"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1E94pnK3N4Ek for <ietf-dkim@ietfa.amsl.com>; Mon, 5 Feb 2024 08:02:57 -0800 (PST)
Received: from mail.winserver.com (mail.winserver.com [3.137.120.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9E01C14F69C for <ietf-dkim@ietf.org>; Mon, 5 Feb 2024 08:02:57 -0800 (PST)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=3815; t=1707148974; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:From:Message-Id:Subject: Date:To:Organization:List-ID; bh=MAXtK3BsXpp1CEZAj9Lcmabs3646daZ gXns+0hfra/M=; b=kj6xDt3vVv8/F8iUomf7W9BYlgyw6zhH9rUYKU8j/ndoDLs BwVrOmJECYtEZYT4l3RR7wxJp9Agmj37Lx82h/wk0n6nL0s53NNgGzxfp1bLQod7 I+cPX8+UNoXGyNwk6FJYcLRWuHC3ycnC9slnn1YTX9yuDNzrhL5O47oNNgss=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.14) for ietf-dkim@ietf.org; Mon, 05 Feb 2024 11:02:54 -0500
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=none author.d=isdg.net signer.d=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([3.132.92.116]) by winserver.com (Wildcat! SMTP v8.0.454.14) with ESMTP id 1771366869.4903.7040; Mon, 05 Feb 2024 11:02:53 -0500
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=3815; t=1707148968; h=Received:Received:From: Message-Id:Subject:Date:To:Organization:List-ID; bh=MAXtK3BsXpp1 CEZAj9Lcmabs3646daZgXns+0hfra/M=; b=yyEbecN6ZveWY1nvhGCFcO0YUEVg E5cixPPlUsan1uYsNhLsW0ppHColGcMYM00HamudhEdhSWNas4jR6CL3kVoPu2GN nnKVKi1qLL/9ZtUJ3Hm92jFDYJi93B6kN66rx4cbVNI/1++DzdVgS2kfjuLJS04z ARaIBBQWaZ6bwpM=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.12) for ietf-dkim@ietf.org; Mon, 05 Feb 2024 11:02:48 -0500
Received: from smtpclient.apple ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.12) with ESMTP id 2217625837.8033.20616; Mon, 05 Feb 2024 11:02:48 -0500
From: Hector Santos <hsantos@isdg.net>
Message-Id: <8EA4F7EB-CBAF-4CBA-AD3B-03ECC8B05172@isdg.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_56A59F46-3910-40FC-8D63-EE5DCB7CE3E3"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\))
Date: Mon, 05 Feb 2024 11:02:37 -0500
In-Reply-To: <0cb52576-67af-4248-9866-5d2e2ef1adfd@tana.it>
Cc: ietf-dkim@ietf.org
To: Alessandro Vesely <vesely@tana.it>
References: <20240119192026.DEDFF810437D@ary.qy> <20240120000053.FrDLzS4U@steffen%sdaoden.eu> <3f72e0c3-d245-16f7-57b2-831bfa53efbd@taugh.com> <4F161749-91D6-4E2D-AF70-89C5F172B971@isdg.net> <64f0cfd3-9d86-4d5e-b213-d0e53972c65a@tana.it> <af70d974-b2cb-4ac3-af9f-f0461238ebbb@isdg.net> <0cb52576-67af-4248-9866-5d2e2ef1adfd@tana.it>
X-Mailer: Apple Mail (2.3774.400.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/1sJACAor2D6Ud1SyHhDshekWkLY>
Subject: Re: [Ietf-dkim] Headers that should not be automatically oversigned in a DKIM signature?
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Feb 2024 16:03:02 -0000

> On Feb 3, 2024, at 8:23 AM, Alessandro Vesely <vesely@tana.it> wrote:
> 
> On Fri 02/Feb/2024 14:34:22 +0100 Hector Santos wrote:
>> Of course, the MUA is another issue.  What read order should be expected for Oversign headers?  Each MUA can be different although I would think streamed in data are naturally read sequentially and the first display headers found are used in the UI.
> 
> 
> Yeah, which is the opposite of DKIM specified order.


>>   Only To: is allowed to be a list.
> 
> 
> RFC 5322 specifies lists for From:, To:, Cc:, Bcc:, Reply-To:, Resent-From:, Resent-To:, Resent-Cc: and Resent-Bcc:.


My comment was regarding the MUA and the order data is read. I wonder which MUAs will display a list for Display fields From: and Resent-*. If any.  Are all of these OverSign targets?  

if we go down this road, the recommendation might be to always sign all headers, including the missing, including ARC and trace headers and before signing, reorder specific headers to DKIM-ready MUA read-order standards, if any.

Are MUAs now doing verifications and filtering failures?  Or is it the backend, the host, the MDA, that is still generally responsible for doing the verification and mail filtering before passing it on to users?


All the best,
Hector Santos

v2.23.0 | Report a Bug | By Email