On 11/30/2017 07:38 PM, John R. Levine wrote:
I did a draft of a double signing thing that let the sender say who's expected to sign a modified forwarded version. The big mail systems weren't interested. They want the recipient system to decide.
https://datatracker.ietf.org/doc/draft-levine-dkim-conditional/
Okay, I've now read your draft and have some questions. How would the !fs tag enable multiple forwarders? The only way that I can think of is for the originating mail server to DKIM sign the message twice, 1st with the classic DKIM-Signature w/o the !fs tag, and 2nd with a DKIM-Signature that includes the !fs tag with a value of of the recipient's domain. I would assume that would mean that the recipient could then forward the message to a new recipient and that their outgoing mail server would also sign twice, 1st with classic DKIM-Signature w/o the !fs tag, and 2nd with a DKIM-Signature that includes the !fs tag with a value of the new recipient's domain. A1: DKIM-Signature: ... d=domainA.example ... A2: DKIM-Signature: ... d=domainA.example; !fs=domainB.example ... <1st forward> B1: DKIM-Signature: ... d=domainB.example ... B2: DKIM-Signature: ... d=domainB.example; !fs=domainC.example ... <2nd forward> C1: DKIM-Signature: ... d=domainC.example ... C2: DKIM-Signature: ... d=domainC.example; !fs=domainD.example ... <3rd forward> D1: DKIM-Signature: ... d=domainD.example ... D2: DKIM-Signature: ... d=domainD.example; !fs=domainE.example ... <4th forward> E1: DKIM-Signature: ... d=domainE.example ... E2: DKIM-Signature: ... d=domainE.example; !fs=domainF.example ... (I suppose that this pattern could go on forever.) Is this what you were intending? A list of DKIM-Signatures linked via !fs tags? If I do understand correctly, I think that it's intriguing. I'm not aware of anything else that would work quite the same way. -- Grant. . . . unix || die