On 19 Mar 2025, at 10:34, Murray S. Kucherawy wrote: > On Wed, Mar 19, 2025 at 10:29 AM Jim Fenton <fen...@bluepopcorn.net> wrote: > >> If I understand what you are describing properly, the verifying MTA can >> verify the signature, but an individual recipient wouldn’t have the >> envelope information to do that with — they would rely on the >> Authentication-Results header field instead. >> >> But they would still have the signature itself, and could try various >> likely envelope addresses until they found one for which the signature >> verifies properly. >> > > In the single recipient model, the attack you're describing requires you to > be in possession of a message that was delivered to an unknown recipient > and you're trying to discover who that was. If you have in hand a message > that was delivered to you and you want to know who else might've received > it, that won't succeed because that information can't be recovered (because > it wasn't there at signing time).
Your earlier message referred to “N recipients going to MX-A” so it wasn’t clear that you were talking about a single-recipient model. It sounded like you were depending on the envelope information not being added to any header field for confidentiality. I agree that the single-address-per-envelope model doesn’t have that problem. But I wonder if it might make it a little easier for implementations to operate only on the message header and not the envelope itself, so perhaps having the receiving MTA copy the envelope address into a trace header field would be a good idea. But you know much more about implementing DKIM than I do. -Jim _______________________________________________ Ietf-dkim mailing list -- ietf-dkim@ietf.org To unsubscribe send an email to ietf-dkim-le...@ietf.org
