John R. Levine wrote:
want to allow modification of the subject field (e.g., adding a tag)
and/or the body (e.g., adding header and footer) - then you might have
to be a little cleverer, perhaps by providing information about the
diffs in extra headers and doing a few comparisons at the receiving end
(subject tag = *****<original-signed-subject>).
That's unlikely to be a productive direction to go. We had a lot of
arguments about message modification when we were designing the DKIM
strict and loose message digests. We never found a way to allow
subject tags that wouldn't also enable all sorts of abuse, and I don't
think we missed anything.
The reasonable way to use DKIM with mailing lists has always been for
the list to add its own signature, and to use the list signatures to
develop a (presumably good) reputation for the list so its mail gets
delivered. See the signatures on the messages from this list for an
example.
I was thinking about combining:
- two signatures: at origination, by the list manager
- adding an additional header, along the lines of "original-subject"
- allowing for:
-- not breaking validation of the originating signature
-- adding tags to the subject line (and copying the original subject to
original-subject)
-- adding a new signature at the mailing list
-- validating the original signature at receipt (just using the
original-subject header in place of the tagged subject line)
-- doing a diff on the two subject lines to validate that the only thing
added was a text tag before the original subject
Doesn't address the non-aligned From: header issue, but does reduce one
impact.
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra