On Wed 08/Mar/2023 18:39:37 +0100 John R Levine via mailop wrote:
And why does RFC8058 require that fields such as List-Unsubscribe-Post:
MUST be signed?
Is it special "One click" case? I was not interested in it yet...
Yes, the idea was to prevent malicious unsubs by sending fake spam with someone
else's one-click unsub.
Would a MUA send a POST to a known domain if it was found on a message coming
from an unknown, or anyway different domain?
It may be that in the tradeoff between resilience and security the latter wins.
In that case shouldn't RFC8058 have modified Section 5.4.1 of RFC6376,
Recommended Signature Content?
Should software that defines the default fields to sign after that section add
List-Unsubscribe-Post to that list?
Best
Ale
--
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
