Re: [dkim-ops] [Dkim-contact] When i switched to "g=bh", Gmail said (...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK, i reviewed about the "i" tag again. And then, someday i'll contact
DKIMProxy developer directly with this "i" tag issue. Thanks Vijay for
cool explains ;;

Vijay Eranti (✌ విజయ్ ఈరంటి) wrote:

hi byung-hee hwang,

It seems we are doing what is specified in spec.

Your dkim signature

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=izb.knu.ac.kr 
<http://izb.knu.ac.kr>;

       h=message-id:date:from:mime-version:to:subject:content-type:
      content-transfer-encoding; s=dj; bh=QiPZXJCZYs3YqbS59DQ6rAk23YbX
      xD8YurNQDfizz78=; b=pGMXFSrqz4ad4yCTUGKdb0XtDefczz+bvyIFSTF9T7gT
      SBXUjM/In6JXbJMLMAxDBotxWrhHP8XxTihOfcwRuxdZJhQ4TnPzKrE8qY8KKNEK

      ojn7LMpnn4dtcwjbT4KWh12IWLCnKppgUulSgqeWwzyGtCnMxS3aPYGBlPJ7IqU=

is missing the i= part. The spec says that

i=  Identity of the user or agent (e.g., a mailing list manager) on
       behalf of which this message is signed (dkim-quoted-printable;

       OPTIONAL, *default is an empty Local-part* followed by an "@"
       followed by the domain from the "d=" tag).  The syntax is a
       standard email address where the Local-part MAY be omitted.  The

       domain part of the address MUST be the same as or a subdomain of


       the value of the "d=" tag.


So, the spec says to us to match empty string "" (which is default value
of i= local part) with what ever you specify in g=  - in this case, you
are specifying g=bh for the failure case. And hence we are failing the
message. Please review the dkim spec and add an 
i=bh(_at_)izb(_dot_)knu(_dot_)ac(_dot_)kr
<mailto:bh(_at_)izb(_dot_)knu(_dot_)ac(_dot_)kr> as per it to the dkim 
signature.

2008/11/4 Byung-Hee HWANG <bh(_at_)izb(_dot_)knu(_dot_)ac(_dot_)kr 
<mailto:bh(_at_)izb(_dot_)knu(_dot_)ac(_dot_)kr>>

Here is the full header failed in DKIM verifying:

<URL:http://izb.knu.ac.kr/~bh/stuff/gmail-full-header-2008110501
<http://izb.knu.ac.kr/%7Ebh/stuff/gmail-full-header-2008110501>>

FYI; i used/use Jason's DKIMProxy for signing DKIM signature ;;

Vijay Eranti ( 5?/M 0?) wrote:

can you send me a sample dkim signature that failed ?
here is what the spec says

g=  Granularity of the key (plain-text; OPTIONAL, default is "*").
       This value MUST match the Local-part of the "i=" tag of the

DKIM-

       Signature header field (or its default value of the empty

string

       if "i=" is not specified). An email with a signing address

that does not

       match the value of this tag constitutes a failed verification.

       The intent of this tag is to constrain which signing

address can

       legitimately use this selector, for example, when delegating a
       key to a third party that should only be used for special
       purposes.

I am interested in what you specified in your i= in the dkim

signature.

On Mon, Nov 3, 2008 at 8:27 PM, Byung-Hee HWANG 
<bh(_at_)izb(_dot_)knu(_dot_)ac(_dot_)kr

<mailto:bh(_at_)izb(_dot_)knu(_dot_)ac(_dot_)kr>

<mailto:bh(_at_)izb(_dot_)knu(_dot_)ac(_dot_)kr 
<mailto:bh(_at_)izb(_dot_)knu(_dot_)ac(_dot_)kr>>> wrote:

When i was used with "g=*", Gmail said as follow:

       dkim=pass (test mode) 
header(_dot_)i=(_at_)izb(_dot_)knu(_dot_)ac(_dot_)kr

<http://izb.knu.ac.kr>

<http://izb.knu.ac.kr>

When i switched to "g=bh" from "g=*", Gmail said as follow:

       dkim=neutral (no key) 
header(_dot_)i=(_at_)izb(_dot_)knu(_dot_)ac(_dot_)kr

<http://izb.knu.ac.kr>

<http://izb.knu.ac.kr>

Below is my current TXT record for DKIM:

bh(_at_)chrys:~> dig +short dj._domainkey.izb.knu.ac.kr

<http://domainkey.izb.knu.ac.kr>

<http://domainkey.izb.knu.ac.kr>. TXT
"v=DKIM1; k=rsa; g=bh; s=email; t=y; p=...snip...;"
bh(_at_)chrys:~>

With same key("g=bh"), dkim-test(_at_)testing(_dot_)dkim(_dot_)org

<mailto:dkim-test(_at_)testing(_dot_)dkim(_dot_)org>

<mailto:dkim-test(_at_)testing(_dot_)dkim(_dot_)org

<mailto:dkim-test(_at_)testing(_dot_)dkim(_dot_)org>>'s result was:

       dkim=pass, header(_dot_)i=bh(_at_)izb(_dot_)knu(_dot_)ac(_dot_)kr

<mailto:bh(_at_)izb(_dot_)knu(_dot_)ac(_dot_)kr> 
<mailto:bh(_at_)izb(_dot_)knu(_dot_)ac(_dot_)kr
<mailto:bh(_at_)izb(_dot_)knu(_dot_)ac(_dot_)kr>>

Am i wrong? Or Gmail's missed point about "g" tag?

byunghee






--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google
Groups "Dkim-contact" group.
To post to this group, send email to dkim-contact(_at_)google(_dot_)com
<mailto:dkim-contact(_at_)google(_dot_)com>
<mailto:dkim-contact(_at_)google(_dot_)com 
<mailto:dkim-contact(_at_)google(_dot_)com>>
To unsubscribe from this group, send email to
dkim-contact+unsubscribe(_at_)google(_dot_)com
<mailto:dkim-contact%2Bunsubscribe(_at_)google(_dot_)com>
<mailto:dkim-contact%2Bunsubscribe(_at_)google(_dot_)com
<mailto:dkim-contact%252Bunsubscribe(_at_)google(_dot_)com>>
For more options, visit this group at
http://groups.google.com/a/google.com/group/dkim-contact?hl=en
-~----------~----~----~----~------~----~------~--~---

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkQ9LoACgkQsCouaZaxlv5WFQCfbCEFy6RCZKYKpzXn7JdHRtmo
/FAAnivCNTu/42oWkNk4AVEfKux/OEC8
=7bUs
-----END PGP SIGNATURE-----

_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops

Re: [dkim-ops] [Dkim-contact] When i switched to "g=bh", Gmail said (...)