[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debian.org e-mail address and SPF/SRS

* Matthew Palmer 

| See, that's the thing that the FAQ was unclear on.  If you don't have to
| sign all headers, then you're OK.  I was thinking the attachment of
| Received: headers as being particularly problematic.  To quote the FAQ:
| 
| "Mailing lists that do not change the content or re-arrange or append
| headers will be DomainKey compatible with no changes required. Mailing lists
| that change the message and headers should re-sign the message with their
| own private key and claim authorship of the message."
| 
| That suggests to me that sticking new headers into the mix would screw up
| the signature.

from the IETF draft:

: The current valid tags are:
[...]
:  h = A colon separated list of header field names that identify the
:      headers presented to the signing algorithm.

If this value is missing, all headers after the DomainKeys signing
header are assumed signed, which of course is not true, so you are
right that this will cause a problem with mailing lists.

I think this should be brought to the attention of the domainkeys
people, making this tag compulsory.

-- 
Tollef Fog Heen                                                        ,''`.
UNIX is user friendly, it's just picky about who its friends are      : :' :
                                                                      `. `' 
                                                                        `-
Reply to: