[ietf-dkim] Taking responsibility for a message
johnl at iecc.com
Mon Apr 25 19:20:24 PDT 2011
>I don't so much view DKIM as protecting content; rather, my current view
>of its semantics aligns with the whole "taking some responsibility for"
So far, so good, the signer takes some responsibility for the message.
> And thus, a signer should only sign those parts of the header and
> body for which it wants to accept responsibility.
Good lord, no. Taking some reponsibility for the message is not the
same as taking responsibility for some of the message.
If you do that, that pretty much requires that we put back the stuff
that says that a verifier produces an edited verision of the message,
and you better be prepared to have a very, very, very long discussion
about how much of a message a signature has to include for it to be
"enough" and how to design various metrics about the relative value of
signatures that cover more or less of the message.
If you think a message is worth signing, sign it. If you don't,
don't. Those are the only two options. When a list manager's domain
signs a message, it's not asserting anything about the literary merit
of the message, it's just saying the message satisfied whatever criteria
it uses to select and pass along the messages it signs. (Yes, this is
The reason you might not include part of a message in the signature is
that you don't care if someone changes it. I don't sign Received: or
X-Mailer: headers, because changing or deleting them is harmless. I
do sign nearly everything else. This also suggests why the l= option
is not useful, since it says "I don't care if other people add stuff
to the end of the message."
More information about the ietf-dkim