dkim-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [dkim-dev] DomainKeys vs DKIM: Identifying the Sending Domain

2007-05-05 16:48:23
from [Dave Crocker] [Permanent Link] 


Tim Gokcen wrote:
I guess what I'm really trying to ask here is, does DKIM provide a mechanism to tell the receiving MTA *which* field a particular DKIM signature is intended to apply to?
DKIM specifies which fields are part of the signature. So I suppose the question is what you mean by "apply to". From your earlier notes in this thread, you appear to focus on something akin to authorship.
What experience with path registration schemes, like SPF and Sender-ID, and with DomainKeys, has underscored is that we can have simplistic models that work only some of the time, or we can have a flexible model that applies more broadly. DKIM takes this latter approach.
The real challenge is that this is a layered topic and DKIM works at the bottom layer: Allow someone to take responsibility. Once you have a responsible identity, you can a) let them make assertions about their behavior, and b) let others make assertions about their behavior. The combination of these two let receiving engines make handling decisions.
Anything that is more tightly integrated tends to look great, for simple cases, but falls apart beyond them.
Right now, we are using only the older DomainKeys spec, and in particular this causes our messages to fail verification with Yahoo's mail servers since the signing identity is in Resent-From (instead of From or Sender) as we wish to mask the relay from the MUA. As I 

Whereas DKIM let's you use any identity you want.
understand it, the idea of DKIM & DomainKeys (and SPF & Sender-ID) is not necessarily to validate that a message "from" joe(_at_)domain(_dot_)com is *really* from that address, but to provide a mechanism whereby an MTA at some point in the relay chain cryptographically asserts a certain responsibility for the message. This increases the verifiability of that relaying agent, and thus on the receiving side the MTA may decide to trust the message more than it otherwise would, since if the message turns out to be spam/phishing/etc. junk, then at least there is some degree of accountability. 

Is my reasoning correct?


Yup.

d/

--

  Dave Crocker
  Brandenburg InternetWorking
  bbiw.net
_______________________________________________
dkim-dev mailing list
dkim-dev(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-dev
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [dkim-dev] DomainKeys vs DKIM: Identifying the Sending Domain, Tim Gokcen
Next by Date:  Re: [dkim-dev] DomainKeys vs DKIM: Identifying the Sending Domain, Michael Thomas
Previous by Thread:  Re: [dkim-dev] DomainKeys vs DKIM: Identifying the Sending Domain, Tim Gokcen
Next by Thread:  Re: [dkim-dev] DomainKeys vs DKIM: Identifying the Sending Domain, Tim Gokcen
Indexes:  [Date] [Thread] [Top] [All Lists]