On Sat, 27 Oct 2007 16:13:47 +0100, Dave Crocker <dhc(_at_)dcrocker(_dot_)net>
wrote:
Discussion about raw DKIM signing sometimes seems to have the underlying
view that the From field is validated as being accurate. At the least,
this seems to vary among different folk. I wanted to see whether there
is a clear view one way or the other.
I think it is clear from replies so far that a DKIM signature certifes no
more than "This is the state of the headers at the time I constructed the
signature", which is rather weak.
OTOH, there is that mention of "responsibility" which seems to imply
something stronger; but since "responsibility" is not defined, it is still
rather meaningless.
I suppose there is also an implication in a signature that "I am
authorised to issue signatures on behalf of the domain in question", but
that is still rather weak.
But again, since the whole point of DKIM is to enable one to detect
messages that did not originate from where they purport to have originated
(such signatures ought to fail), it would seem that RFC 4871 really is too
weak to fulfil that purpose.
I'm not suggesting "fixing" DKIM. I'm seeking clarity among the
community. (It's a California thing.)
So I think RFC 4871 ought to be "fixed" (unless we can find some way of
fixing it in SSP, for example by enabling the SSP record to assert "we
only sign where the From/Sender has been verified").
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html