Re: Using OpenDKIM for iSchedule from Murray S. Kucherawy on 2012-06-06 (OpenDKIM Developers mailing list)

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Wed, 6 Jun 2012 21:18:11 -0700 (PDT)

On Wed, 6 Jun 2012, Ken Murchison wrote:
>>> 1. Is there a way to keep the library from requiring a From: header,
>>> other that modifying the source? This obviously makes it email-centric.
>>
>> The From: header is required as mentioned in Section 5.4 of RFC 6376. The
>> only way around that is to modify the source.
>
> Right. I wasn't sure if there was some function call or back-door that I
> wasn't seeing in the source.

SM's correct, we don't have a way to do that since we're pure to DKIM
specs and focused on email, so we force "from" into the list. It sounds
like your patch might be useful for future extensions though, so I hope
you'll contribute it back to us. :-)

>>> 2. What is the proper way to include an extra instance of a header field
>>> name in "h=", per section 5.4.2 of RFC 6373? iSchedule will most likely
>>> require that "h=" includes the number of Recipient: headers + 1, to
>>> protect from intermediaries adding Recipients. Obviously, the signer
>>> needs to add the extra instance, but does the verifier have to as well?
>>
>> See dkim_options() and DKIM_OPTS_ALWAYSHDRS for signing. If a header is
>> listed in "h=", the verifier will automatically look for it. That
>> "protects" from the header being added in transit if it was not present
>> during DKIM signing. BTW, the To" and Cc: headers are signed. Isn't that
>> adequate protection from a RFC 5322 perspective?
>
> Thanks, I will look into ALWAYSHDRS. I won't have To: or Cc: headers.
> iSchedule is a HTTP-based protocol for transferring iCalendar scheduling
> objects and it uses a different set of headers.

DKIM_OPTS_ALWAYSHDRS won't help for the case where a named header field
already exists, and you want to add one more to prevent a duplicate from
being added. It does help for the case where you expect a field to be
absent at signing, to ensure it can't be added later.

If you always want to add an "h=" instance of a name whether it's present
or not, you want DKIM_OPTS_OVERSIGNHDRS. That's an experimental feature
of the library you have to request at build time in v2.5.x by saying
"--enable-oversign" to ./configure.

DOSETA is idle because of lack of uptake. However, since you have a use
case, I'll pass that on and maybe we can get some movement on it.

-MSK
Received on Thu Jun 07 2012 - 04:18:28 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:33:33 PST