Re: [Ietf-dkim] Headers that should not be automatically oversigned in a DKIM signature?

[Steffen Nurpmeso <steffen@sdaoden.eu>]

Jim Fenton wrote in
 <3E7A38EF-4026-4943-8BC3-22516E3F1C56@bluepopcorn.net>:
 |On 5 Feb 2024, at 14:02, Dave Crocker wrote:
 |> On 2/5/2024 1:56 PM, Jim Fenton wrote:
 |>> And you will also provide citations to refereed research about what \
 |>> you just asserted as well, yes?
 |>
 |> Ahh, you want me to prove the negative. That's not exactly how these \
 |> things go.
 |
 |You said that the URL lock symbol failed. Asking for research to back \
 |that up is not asking for you to prove the negative. I suspect there \
 |is research out there that backs up that statement, and I’m just asking \
 |for the same amount of rigor that you are asking for.

URL lock is one thing, the way to get there the other.
In fact i find it terribly annoying for so-called insecure
connections, those screaming pages and the large buttons to reject
and the small to really get where i want.  (Possibly even after
unfolding a visual layer.)

And i think the "do not ask again" should instead read "shall we
remember this very certificate for this very URL", and having
a date selector that cannot cross the not-after date of
a certificate, or some maximum time (that likely could be
configured, too).

Anyhow the lock symbol should possibly indicate whether it was
from a CA-pool, from a secured DNS TLSA or what, or from such
a user-accepted thing.  Do not ask me how.  Background colour,
configurable.

This problem is also the one of certificates and CA-pools, and
all that business.
But DKIM for example has the fantastic property of not even having
introduced the need for a specific DNS record, instead it simply
published the public certificate in a DNS record, so people could
start right away.
(If all protocols would support public certificate import/use via
DNS, i think this would be very nice.)
And GPG has its own way to detect certificates.
What i mean is, there is a more direct connection in between the
data and the certificate.
That seems much more doable and understandable than CA pools,
i think.  Especially since most normal people do not understand
the visualization of the browser giants.

For my text MUA (and mutt(1) does it quite similar) you will see

  [-- #1.1 35/1035 multipart/mixed --]
  [-- Signed data --]
  From: ...

for parts or in between header and body for others.  (Like i said,
that needs a MIME layer rewrite to be practical.)

That "Signed data" and such can be colourized.  Likely the colour
for errors would be the "error" one, which i set to red.
So on a 55 or 59 line console i find a single such line pretty
remarkable.
And .. i would not know of a better way.

P.S.: i do not think people stop eating chocolade.  Nor chips.
(Until the brain chip can make the serotonins flow and make you
think it is chocolete, while you are eating something different in
fact.  But care! that it does not report your addiction to some
data collector, then.)
But i think traffic lights are a world wide success.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)