-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <ec30d504-c5e8-4742-ad42-2d5f3af1e...@tana.it>, Alessandro Vesely <ves...@tana.it> writes
>On Mon 24/Mar/2025 20:19:29 +0100 Richard Clayton wrote: >> In message <b9029423-1b4a-4e82-b8ae-4acbbe810...@tana.it>, Alessandro Vesely ><ves...@tana.it> writes >> >>>BTW, is dkim2=fail different from "failing DKIM2 signatures from a 100% >>>DKIM2 >>>mail chain"? I mean, do verifiers always check all the signatures along the >>>chain or can sometimes check just the last one? >> >> In DKIM2 you need to validate the signature of the entity passing you >> the message (the highest numbered header field) because that assures you >> that you can give it back to them if you need to... > > >What does that mean? Should I wait for more information in order to make a >delivery decision? it means that if you accept the message and then reject it later then you are assured that there will be no "backscatter" >Of course, If I trust the signer of the last signature, it would be fine to >check only that. Bat that would be too similar to ARC... you don't need to trust, you need to validate >> If you want to do forensics you can check more, but that's all that a >> receiver is likely to care about. > >It ought to be not very hard to check all signatures, reversing the changes. It's not a question of hardness -- if you check more signatures than you need to then you are heating up the planet unnecessarily. Note that you DO need to reverse changes to check the signature of the original sender of the email but you can just use the change info without checking if it is signed (if it doesn't work out then you're back in the world of forensics) >There needs to be a way to tell what changes are tolerated. For example, I'd >accept a plain text footer of a few lines, but not html inserts that could >completely replace the original content in the end recipient's eyes. "a way to tell" would be local decisions, not something in the protocol (and see my other message about the very small changes I see that completely change the meaning of a message to a recipient ... so if you are very cautious, you might want to have a local policy about angle- brackets!) - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBZ+RQ7WHfC/FfW545EQI+eACdGBEn4PlGYda0cV28b8VYg6LZkHsAnip4 O2pJ8sxW0YysG1yLLrEN7GGY =5NHU -----END PGP SIGNATURE----- _______________________________________________ Ietf-dkim mailing list -- ietf-dkim@ietf.org To unsubscribe send an email to ietf-dkim-le...@ietf.org
