Re: [Ietf-dkim] Headers that should not be automatically oversigned in a DKIM signature?
Hector Santos <hsantos@isdg.net> Fri, 02 February 2024 13:34 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FF39C14F5F5 for <ietf-dkim@ietfa.amsl.com>; Fri, 2 Feb 2024 05:34:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X_s4Rj8IpSsR for <ietf-dkim@ietfa.amsl.com>; Fri, 2 Feb 2024 05:34:28 -0800 (PST)
Received: from mail.winserver.com (mail.winserver.com [3.137.120.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9542CC14F71D for <ietf-dkim@ietf.org>; Fri, 2 Feb 2024 05:34:28 -0800 (PST)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=2803; t=1706880863; atps=ietf.org; atpsh=sha1; h=Received:Received:Message-ID:Date:Subject:To:From:Organization: List-ID; bh=xm7b5sfxL7d6jf/mJmkSgfCEhy6TJA5t2k3yWjJTu2A=; b=Yj4z HgX+daCA9shTXpEsCmZTYDBb4FY19AKq9CedCMbu4pyrQn0gYPGk4qff6eQUZFRO nqfcfTdazB6EbUI9dyjmVKf3oP/lxYAFV86KJUQX341A9x/6ADOcw3nvHFzd6yNS vFu69Hze/061dfoFfOtRfq6/cw+430xs01p4KdM=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.14) for ietf-dkim@ietf.org; Fri, 02 Feb 2024 08:34:23 -0500
Received: from home.winserver.com ([75.26.216.248]) by winserver.com (Wildcat! SMTP v8.0.454.14) with ESMTP id 1503259837.1.4504; Fri, 02 Feb 2024 08:34:22 -0500
Message-ID: <af70d974-b2cb-4ac3-af9f-f0461238ebbb@isdg.net>
Date: Fri, 02 Feb 2024 08:34:22 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Reply-To: hsantos@isdg.net
Content-Language: en-US
To: ietf-dkim@ietf.org
References: <20240119192026.DEDFF810437D@ary.qy> <20240120000053.FrDLzS4U@steffen%sdaoden.eu> <3f72e0c3-d245-16f7-57b2-831bfa53efbd@taugh.com> <4F161749-91D6-4E2D-AF70-89C5F172B971@isdg.net> <64f0cfd3-9d86-4d5e-b213-d0e53972c65a@tana.it>
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
In-Reply-To: <64f0cfd3-9d86-4d5e-b213-d0e53972c65a@tana.it>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/wy2EyetvoWBzob-rIxpSpxSvESc>
Subject: Re: [Ietf-dkim] Headers that should not be automatically oversigned in a DKIM signature?
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Feb 2024 13:34:33 -0000
On 2/1/2024 6:38 AM, Alessandro Vesely wrote: > On Wed 31/Jan/2024 18:34:46 +0100 Hector Santos wrote: >> If I add this feature to wcDKIM, it can be introduced as: >> >> [X] Enable DKIM Replay Protection > > That'd be deceptive, as DKIM replay in Dave's sense won't be > blocked, while there can be other effects on signature robustness. > First, thanks to your and Murray's input. I need to review Dave's "DKIM Replay" concerns. Legacy systems have many entry points to create, import/export methods, transformation, filling missing fields, etc. Overall, I considered the potential "Replay" concern was about taking an existing signed message (from a purported "trusted signer" ) but MUA display fields, namely, To: and Subject: are missing or not signed. These can potentially be replayed with tampered To:, Subject fields and exported. The multiple 5322.From headers MUA concern was highlighted many moons ago. Easily Addressed with incoming SMTP filters rejecting multi-From messages. > A better sentence could be: > > [X] Prevent further additions of this field "This" meaning there is a header selection to monitor? See below > Note that some packages allow choices such as > > [ ] Sign and oversign only if present in the message > [ ] Oversign only if already present in the h= list > [ ] Oversign anyway Given how our package offer the signing defaults: UseRequiredHeadersOnly = 1 # optional, 1 - use RequireHeaders RequiredHeaders = From:To:Date:Message-Id:Organization:Subject:Received*:List-ID SkipHeaders = X-*:Authentication-Results:DKIM-Signature:DomainKey-Signature:Return-Path StripHeaders = # optional, headers stripped by resigners Basically, as the message to be signed headers are read in, each are checked again the RequiredHeaders (when enabled). If missing, the header is not signed. The exception is From: which is always signed. Signed headers are added to the "h=" fields. So how about this, if I follow this, new namespace fields: OversignHeader.To = # default blank OversignHeader.Subject = # default blank . . OversignHeader.Field-Name= # future oversign header This allows an oversign header to be signed if missing. If correct, easily to update the code. Of course, the MUA is another issue. What read order should be expected for Oversign headers? Each MUA can be different although I would think streamed in data are naturally read sequentially and the first display headers found are used in the UI. Only To: is allowed to be a list. -- Hector Santos, https://santronics.com https://winserver.com
- [Ietf-dkim] Headers that should not be automatica… Mike Hillyer
- Re: [Ietf-dkim] Headers that should not be automa… Dave Crocker
- Re: [Ietf-dkim] Headers that should not be automa… Mike Hillyer
- Re: [Ietf-dkim] Headers that should not be automa… Dave Crocker
- Re: [Ietf-dkim] Headers that should not be automa… John Levine
- Re: [Ietf-dkim] Headers that should not be automa… Evan Burke
- Re: [Ietf-dkim] Headers that should not be automa… Dave Crocker
- Re: [Ietf-dkim] Headers that should not be automa… Steffen Nurpmeso
- Re: [Ietf-dkim] Headers that should not be automa… Dave Crocker
- Re: [Ietf-dkim] Headers that should not be automa… Al Iverson
- Re: [Ietf-dkim] Headers that should not be automa… Alessandro Vesely
- Re: [Ietf-dkim] Headers that should not be automa… Dave Crocker
- Re: [Ietf-dkim] Headers that should not be automa… Evan Burke
- Re: [Ietf-dkim] Headers that should not be automa… John Levine
- Re: [Ietf-dkim] Headers that should not be automa… Steffen Nurpmeso
- Re: [Ietf-dkim] Headers that should not be automa… Steffen Nurpmeso
- Re: [Ietf-dkim] Headers that should not be automa… Steffen Nurpmeso
- Re: [Ietf-dkim] Headers that should not be automa… Emanuel Schorsch
- Re: [Ietf-dkim] Headers that should not be automa… Steffen Nurpmeso
- Re: [Ietf-dkim] Headers that should not be automa… Steffen Nurpmeso
- Re: [Ietf-dkim] Headers that should not be automa… John R Levine
- Re: [Ietf-dkim] Headers that should not be automa… Hector Santos
- Re: [Ietf-dkim] Headers that should not be automa… Murray S. Kucherawy
- Re: [Ietf-dkim] Headers that should not be automa… Alessandro Vesely
- Re: [Ietf-dkim] Headers that should not be automa… Hector Santos
- Re: [Ietf-dkim] Headers that should not be automa… Alessandro Vesely
- Re: [Ietf-dkim] Headers that should not be automa… Hector Santos
- Re: [Ietf-dkim] Headers that should not be automa… Alessandro Vesely
- Re: [Ietf-dkim] Headers that should not be automa… Dave Crocker
- Re: [Ietf-dkim] Headers that should not be automa… Steffen Nurpmeso
- Re: [Ietf-dkim] Headers that should not be automa… Steffen Nurpmeso
- Re: [Ietf-dkim] Headers that should not be automa… Dave Crocker
- Re: [Ietf-dkim] Headers that should not be automa… Jim Fenton
- Re: [Ietf-dkim] Headers that should not be automa… Dave Crocker
- Re: [Ietf-dkim] Headers that should not be automa… Jim Fenton
- Re: [Ietf-dkim] Headers that should not be automa… Steffen Nurpmeso
- Re: [Ietf-dkim] Headers that should not be automa… Dave Crocker
- Re: [Ietf-dkim] Headers that should not be automa… Dave Crocker
- Re: [Ietf-dkim] Security indicators, not Headers … John Levine
- Re: [Ietf-dkim] Headers that should not be automa… John Levine
- Re: [Ietf-dkim] Headers that should not be automa… Hector Santos
- Re: [Ietf-dkim] Security indicators, not Headers … Hector Santos
- Re: [Ietf-dkim] Security indicators, not Headers … Dave Crocker
- Re: [Ietf-dkim] Headers that should not be automa… Steffen Nurpmeso
- Re: [Ietf-dkim] Headers that should not be automa… Murray S. Kucherawy
- Re: [Ietf-dkim] Headers that should not be automa… Steffen Nurpmeso