Problem
--------
All the fedora mail lists are not handling domain keys and dkim signed
mail correctly.
The mail list leaves the original signatures but breaks the headers
thereby making the signature fail.
There are several choices, but breaking DKIM as it does is the worst.
Solutions:
-----------
The list server should either
(1) leave the original message headers intact
(2) If signed headers are mofified - remove original signature
(a) delete original signature
(b) delete original signature and sign outgoing as list server
(3) Leave original message intact and signed - list server should then
sign its own message along with the forwarded message as an attachment.
This way allows both the original and the forwarded message to be checked.
Comments:
---------
(1) is ok
(2) is not ideal as it defeats purpose of signing mail tho (b) is
better than (a)
(3) Is the best available choice.
It would be even better if the DKIM milter recursively checked all
attached signed messages as well - which is not in the current version.
In fact it should be part of the spec itself and thus required.
gene/
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
