[ietf-dkim] chained signatures, was l= summary
Murray S. Kucherawy
msk at cloudmark.com
Mon Jun 8 05:51:22 PDT 2009
> > By selecting specific A-R headers to remove, header content might be
> > processed post delivery, and then appear to match against some trusted
> > domain.
I believe the Security Considerations of RFC5451 covers this adequately.
> For sure, individual recipients may wish to check signatures etc. for
> themselves, espeicially if they have doubts about the policies applied by
> their local assessors. If the local assessor has unnecessarily removed
> sone A-R that is actually covered by the signature, then that becomes
> > The safest solution would be to remove _all_ A-R pre-existing A-R
> > headers from different environments ...
> But that's not what the standard says.
> > IMHO, appendix B.6 is overly optimistic for today's environment.
Have you seen actual attacks like this in the wild already?
> Maybe so, but that document is a proposed standard, and unless you have
> plans to get it revised, we must try and work with it as it stands.
> Nothing in that example is contrary to what that standard says
(BTW, does this still qualify as being "on topic" for this list?)
More information about the ietf-dkim