[dkim-dev] Choosing sets of headers to sign
Dave Crocker
dhc at dcrocker.net
Thu Jan 11 09:28:02 PST 2007
(I'm sending an independent copy of this note to the dkim-dev mailing list,
because I'm not sure which venue is the better choice. -dev has the more focused
group, but the topic of this note probably has a larger implication, so that
ESTG might permit broader representation of views. So, apologies if you are
getting this twice and bigger apologies if you are not a member of the ESTG group.)
Folks,
One of the basic points of flexibility in DKIM is permitting the signer to
declare a subset of headers that is part of the signature. (h= specifies the list.)
This allows the infrastructure to add/modify other header fields, with no impact
on the verification. However it also opens the door to insufficient or
incompatible signing. I sign a few fields, and you validate as if there is a
robust protection of the headers. I sign a few headers and you sign a lot, with
little overlap between our sets; should the validator treat validation of our
two messages the same?
So,
1. How are folks deciding what fields to sign?
2. To what extent do we care about different signers choosing different fields
to sign, in terms of how to process a validated signature?
3. ...?
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
More information about the dkim-dev
mailing list