[dkim-dev] Choosing sets of headers to sign
Douglas Otis
dotis at mail-abuse.org
Thu Jan 11 14:04:44 PST 2007
On Jan 11, 2007, at 12:36 PM, Hector Santos wrote:
> Dave Crocker wrote:
>>
>> 1. How are folks deciding what fields to sign?
>
> Odds are good we will use a default of the most common fields
> across all mail networks and devices. The top most:
>
> From:
> To:
> Subject:
> Date:
These questions need to be asked of MUA vendors as well. Should
signed headers be annotated in some fashion? For example, what if
the signature included the identity found in the Sender header, but
was not signed? Should the Display-Name be highlighted differently?
When header annotation depends upon the identity being recognized by
retained information and associated with the signature, then retained
Display-Names might supplant this questionable component in an
unsigned header.
> and throw in Message-ID:
>
>> 2. To what extent do we care about different signers choosing
>> different fields to sign, in terms of how to process a validated
>> signature?
>
> Only that it isn't something that will readily change and use a
> field that may not survive.
How should a header <utf-8 at utf-8 <ascii at ascii>> be annotated? Should
it be signed? Which component of this header can be trusted as
having been confirmed via the DKIM signature? Keep in mind, domains
might differ.
-Doug
More information about the dkim-dev
mailing list