[ietf-dkim] detecting header mutations after signing
Wietse Venema
wietse at porcupine.org
Fri Oct 8 13:15:56 PDT 2010
> > If I understand things correctly, the solution is already available
> > in DKIM today. It involves signer configuration (sign for N+1
> > instances of each header that is covered by the signature) and
> > requires no change in protocol or semantics. It merely hardens the
> > DKIM signature and I see nothing wrong with doing so.
> >
> > If I am mistaken then please correct me.
>
> It depends on the Application implementation of DKIM.
What I describe would be a best practice application of DKIM
mechanisms that already exist.
Mail is signed as if there are N+1 instances of each header that
is covered by the DKIM signature. The verifier will then fail if
any such header is added after-the-fact.
With this, there is no need to rely on enforcement mechanisms
outside DKIM, such as the correct implementation of RFC 5322.
Wietse
More information about the ietf-dkim
mailing list