IETF Logo Mail Archive

Re: [Ietf-dkim] Headers that should not be automatically oversigned in a DKIM signature?

Alessandro Vesely <vesely@tana.it> Mon, 05 February 2024 17:44 UTC

Return-Path: <vesely@tana.it>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABAB8C14F5E0 for <ietf-dkim@ietfa.amsl.com>; Mon, 5 Feb 2024 09:44:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b="lqCAx93A"; dkim=pass (1152-bit key) header.d=tana.it header.b="BKHx1ZgL"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cjRFn7kSLKli for <ietf-dkim@ietfa.amsl.com>; Mon, 5 Feb 2024 09:43:55 -0800 (PST)
Received: from wmail.tana.it (wmail.tana.it [94.198.96.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A59ABC14F5EB for <ietf-dkim@ietf.org>; Mon, 5 Feb 2024 09:43:18 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1707154996; bh=iTDkwDDjyQqnnan33cYXWEMxWx5MPaLDgYEuY7FQzug=; h=Author:Date:Subject:To:Cc:References:From:In-Reply-To; b=lqCAx93AG/5BgGWTjMGUMC4CTwk1G3SCT0yrPLW5oEJ748RcsoJ74sa5jCFEQErpP djRi4vYkvqURiA5cCFhDg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1707154996; bh=iTDkwDDjyQqnnan33cYXWEMxWx5MPaLDgYEuY7FQzug=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=BKHx1ZgLOrbFTriI/5EmboaBOSX6aWXtKzhUVgBrlxhHxyx7RDMllzy7vF/yHQJOZ YY300o96ZpHHVGSp6ekX8NkU7J6kqyH/weFJ2Rll17LCPYP1i2N7B59b4Scrz+PNO1 q2dri9ClosxMi2FfuagRpU+eIfVBNgouIN5vcrYWZXuQLZuDB0omxw4YdjlKd
Original-Subject: Re: [Ietf-dkim] Headers that should not be automatically oversigned in a DKIM signature?
Author: Alessandro Vesely <vesely@tana.it>
Original-Cc: ietf-dkim@ietf.org
Received: from [192.168.1.3] (host-82-50-65-46.retail.telecomitalia.it [82.50.65.46]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC0BC.0000000065C11E33.00002EFC; Mon, 05 Feb 2024 18:43:15 +0100
Message-ID: <012291f4-5098-4e6b-b9b9-a7e1fd681138@tana.it>
Date: Mon, 05 Feb 2024 18:43:15 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US, it
To: Hector Santos <hsantos=40isdg.net@dmarc.ietf.org>
Cc: ietf-dkim@ietf.org
References: <20240119192026.DEDFF810437D@ary.qy> <20240120000053.FrDLzS4U@steffen%sdaoden.eu> <3f72e0c3-d245-16f7-57b2-831bfa53efbd@taugh.com> <4F161749-91D6-4E2D-AF70-89C5F172B971@isdg.net> <64f0cfd3-9d86-4d5e-b213-d0e53972c65a@tana.it> <af70d974-b2cb-4ac3-af9f-f0461238ebbb@isdg.net> <0cb52576-67af-4248-9866-5d2e2ef1adfd@tana.it> <8EA4F7EB-CBAF-4CBA-AD3B-03ECC8B05172@isdg.net>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <8EA4F7EB-CBAF-4CBA-AD3B-03ECC8B05172@isdg.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/gw9bxduAsp1VeCIvO8d1ipAtzPo>
Subject: Re: [Ietf-dkim] Headers that should not be automatically oversigned in a DKIM signature?
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Feb 2024 17:44:00 -0000

On 05/02/2024 17:02, Hector Santos wrote:
>> On Feb 3, 2024, at 8:23 AM, Alessandro Vesely <vesely@tana.it> wrote:
>>
>> RFC 5322 specifies lists for From:, To:, Cc:, Bcc:, Reply-To:, 
>> Resent-From:, Resent-To:, Resent-Cc: and Resent-Bcc:.
>
> My comment was regarding the MUA and the order data is read. I wonder 
> which MUAs will display a list for Display fields From: and Resent-*. If 
> any.  Are all of these OverSign targets?


Resent-* fields can be added multiple times, so they should not be 
[over]signed.


> if we go down this road, the recommendation might be to always sign all 
> headers, including the missing, including ARC and trace headers and 
> before signing, reorder specific headers to DKIM-ready MUA read-order 
> standards, if any.


Trace fields, signatures and all "transit" stuff should neither be 
signed nor oversigned.


> Are MUAs now doing verifications and filtering failures?  Or is it the 
> backend, the host, the MDA, that is still generally responsible for 
> doing the verification and mail filtering before passing it on to users?


It is debatable whether it is useful to display authentication 
information to the end user.  Personally, I like to see it.

MUAs which have add-ons probably have one or more DKIM verifiers.  Some 
implement it natively.


Best
Ale
--

v2.23.0 | Report a Bug | By Email