OpenARC icon indicating copy to clipboard operation
OpenARC copied to clipboard
verified publisher icon trusteddomainproject

Remove t from the list of required AS tags

Open flowerysong opened this issue 6 years ago • 4 comments

"t" is imported from RFC 6376 section 3.5, which states:

t= Signature Timestamp (plain-text unsigned decimal integer;
   RECOMMENDED, default is an unknown creation time).  The time
   that this signature was created.

Its inclusion in this list results in spurious ARC verification failures.

flowerysong avatar Aug 29 '19 20:08 flowerysong

@martinbogo It's been almost ten months since https://github.com/trusteddomainproject/OpenARC/issues/123#issuecomment-644220261; any progress on merging this critical bugfix?

flowerysong avatar Apr 11 '21 01:04 flowerysong

We are working on getting OpenDMARC 1.4.1 out the door. Once that's completed, we'll circle back to working on OpenARC and OpenDKIM.

On Sat, Apr 10, 2021 at 8:51 PM flowerysong @.***> wrote:

@martinbogo https://github.com/martinbogo It's been almost ten months since #123 (comment) https://github.com/trusteddomainproject/OpenARC/issues/123#issuecomment-644220261; any progress on merging this critical bugfix?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenARC/pull/121#issuecomment-817233326, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAB5KKNX2HL7QG2U55ZI633TID6CFANCNFSM4ISGVJVA .

martinbogo avatar Apr 11 '21 02:04 martinbogo

@martinbogo That's really not acceptable. This is a bug that makes the library unfit for purpose (since it breaks validation of ARC signatures from any domain hosted by Microsoft) and the fix is a one-line change.

If you want to pretend this project is viable, you need to make more progress in ten months than "we'll circle back to it".

flowerysong avatar Apr 16 '21 18:04 flowerysong

@flowerysong

We are three people with limited time, and extremely limited resources. The only way anything gets done is by focusing on one thing at a time, putting the work in, and then moving to the next item. Your feedback is valid, its true, and yet ultimately not that helpful. Sorry to be blunt, but being told we aren't working hard enough, or long enough, or paying attention to a particular branch or fix won't make it happen. OTOH, making it easier for us by making a codefix, PR, testing the merge in a fork and then reporting back? That is helpful, especially if it's against the current development branch

The working group behind ARC seals and DKIM is (slowing) working through to a new RFC and milestones. I recently recruited @thegushi ( Dan ) to help so we can get merge in critical bugfixes in DMARC and move 1.4.1 out the door ( which is expected to drop in the next 72 hours ).

After that, Murray, Dan, and I will refocus and look at critical and community CVE and serious bugfixes in DKIM and ARC, especially as they relate to recent issues solved by working on DMARC.

Keep submitting PR's and issues. We'll keep on working.

-Martin

On Fri, Apr 16, 2021 at 1:57 PM flowerysong @.***> wrote:

@martinbogo https://github.com/martinbogo That's really not acceptable. This is a bug that makes the library unfit for purpose (since it breaks validation of ARC signatures from any domain hosted by Microsoft) and the fix is a one-line change.

If you want to pretend this project is viable, you need to make more progress in ten months than "we'll circle back to it".

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenARC/pull/121#issuecomment-821480098, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAB5KKLU6AIF7DTBWLS4JVDTJCCBDANCNFSM4ISGVJVA .

martinbogo avatar Apr 20 '21 21:04 martinbogo