On 28/06/2022 11:32, Alessandro Vesely via mailop wrote:
On Mon 27/Jun/2022 13:39:52 +0200 Vsevolod Stakhov via mailop wrote:
On 25/06/2022 18:14, John Levine via mailop wrote:
It appears that Vsevolod Stakhov via mailop <vsevo...@rspamd.com> said:
I really, really miss one simple feature in ARC signatures. Whilst
it is
+/- trivial to have a list of trusted signers on a receiver side, it
would be super helpful to allow **a sender** to specify it's next
trusted hop.
You mean liks this?
https://datatracker.ietf.org/doc/draft-levine-dkim-conditional/
I proposed that in 2014, the ARC crowd didn't go for it.
Yes, that's exactly what I have in my mind if thinking about how to
`fix` dmarc for forwarding!
And it doesn't introduce that bloated complexity that ARC does,
allowing to restore authority by just following DKIM signatures. It is
not a silver bullet as you still have a choice to trust or not for
those forwarders but it is really a choice of a sender, like the whole
DMARC policy.
I agree that would've been better than ARC. However, it'd still need to
know which recipients are mailing list supporting DKIMv2 and operate
accordingly. For example, on a reply-all the MSA should split the
message and sign it regularly for regular recipients and conditionally
for MLs.
Interesting, I have just found that the current DKIM RFC actually states
that a verifier must *ignore* the unknown tags in the signature:
https://datatracker.ietf.org/doc/html/rfc6376#section-3.2
However, my own implementation of DKIM verifier in Rspamd fails to
comply with this requirement (I will fix it soon). I'm curious now how
many of the existing DKIM implementations panic on an unknown tags in
DKIM signatures.
If we ignore unknown tags safely then this extension can be introduced
without any additional issues with the compatibility I suppose.
Albeit requirements differ, both ARC and dkim-conditional would need to
exchange info between a mailing list and each subscriber's MTA in order
to operate as intended. Perhaps an extended opt-in protocol...?
Well, it is possible for an ML software to keep all signatures in a
Merkle tree and store any additional information about the particular
signature to share it with the interested receivers. However, it might
be an overkill in general, I don't know.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
