On March 11, 2023 6:05:52 PM UTC, Steffen Nurpmeso via Postfix-users <postfix-users@postfix.org> wrote: >postfix-users@postfix.org wrote in > <zawffxwgo00w+...@straasha.imrryr.org>: > |On Sat, Mar 11, 2023 at 01:54:01AM +0100, Steffen Nurpmeso via Postfix-u\ > |sers wrote: > | > |> - sign the entire message as for now, > | > |You're confusing the message and the envelope. > >..no? No. > > |> - but include a "cramped=1" tag that signals that all receivers > |> are actually covered by the DKIM signature, so > | > |The envelope is not part of the signed message, and the envelope changes > >That "cramped=1" would be in the usual DKIM header, i'd presume. > > |in transit, and is knowable to the message signer when the message is > >(But mostly MUST NOT with some SHOULD NOTs, right?) > > |first submitted to the mail system. > | > |Whatever problem you're trying to solve, it has nothing to do with > |DKIM. > >I was talking RFC 6376. >They try to deal with DKIM replay, and a real (beside all >the babble) suggestion was exactly what i wrote. >So the message would be signed just as now, but to avoid replay >the actual RCPT-TO would get its own additional signed Header >field (i would think that was the idea), so that had to be spliced >into the RCPT-TO:<> specific variant of the message. > >(The alternative to fullfil this RCPT-TO:<> specific variant would >be to sign _the entire message_ for each RCPT-TO:<>, which is more >expensive. This is what the MUA i maintain does for S/MIME >encryption, but i think at scale this would be way more expensive >for say a ML that DKIM signs than simply preparing the message and >prepending a RCPT-TO:<> specific signed DKIM addition that is >signalled via a tag in the normal DKIM signature.) > >But i treat your answer as if milters will not do that. If you want to talk about DKIM replay, the IETF DKIM working group was just rechartered to work on that exact thing: ietf-d...@ietf.org . Scott K _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: milter: could it splice (, somehow)?
Scott Kitterman via Postfix-users Sat, 11 Mar 2023 10:22:45 -0800
- [pfx] milter: could it splice (, someho... Steffen Nurpmeso via Postfix-users
- [pfx] Re: milter: could it splice ... Viktor Dukhovni via Postfix-users
- [pfx] Re: milter: could it spl... Steffen Nurpmeso via Postfix-users
- [pfx] Re: milter: could it... Scott Kitterman via Postfix-users
- [pfx] Re: milter: coul... Steffen Nurpmeso via Postfix-users
