On Fri, 18 Aug 2017, Phillip Hallam-Baker wrote:
Seems like overkill. How about you pay attention to the Supersedes:
(see RFC 2156 and RFC 4021, section 2.1.46) if old and new messages
both have DKIM signatures from the same domain? Same question about
why after 20 years nobody uses it outside of netnews.
DKIM almost helps but this is a data level feature and it really does not
work well with a presentation layer authentication scheme like DKIM.
I suppose, but you'd need something like DKIM if you want to prevent
attacks where the bad guy splices his headers onto your message, and it
has the advantage that it exists and is widely deployed.
It's certainly not perfect, e.g., any gmail user could supersede anyone
else's unless gmail limited what headers they sign, but that doesn't seem
like a high value attack.
And to make it work well, you have to start from a messaging infrastructure
where every message and sender can authenticate themselves
cryptographically from the beginning...
... with a pony?
R's,
John