On Mon, Mar 24, 2025 at 10:53 AM Michael Thomas <m...@mtcc.com> wrote:
> Out of curiosity would, say, a mailing list that breaks the original > signature but signs on the mailing list's behalf count as "signed"? At some > level DKIM is about taking responsibility for a message so something that a > mailing list signed is who you'd blame and/or hang some reputation off of. > > If that were the case, it seems that could be workable although I'd be > really scared about the collateral damage. But they'd know what it would > be, so they'd have an informed view of things. > I take it that a list invalidating an author domain signature would sign as itself while also declaring what mutations it made, and downstream verifiers can decide (a) if the list signature is still satisfied, (b) whether the declared mutations are acceptable, and (c) if they're reversible such that the author domain signature can be recovered. What I'm less clear on is how one identifies a legitimate mutation or a legitimate list, versus a participating attacker claiming to be one of those things. -MSK
_______________________________________________ Ietf-dkim mailing list -- ietf-dkim@ietf.org To unsubscribe send an email to ietf-dkim-le...@ietf.org
