ietf-asrg
[Top] [All Lists]

Re: [Asrg] Third party DKIM signatures

2006-05-28 16:13:00


John R Levine wrote:
DKIM lets anyone sign any message, with no necessary connection between
the signing domain and the domain in any other header such as From: or
Sender:.  By third-party signatures we mean signatures that don't match
the From: or don't match the Sender:, or don't match something else.

The semantics as well as definition of third party signatures are, to put
it mildly, somewhat unclear.  Some thought or actual experiments with such
signatures could be helpful.


I think the above characterization has the issue reversed, or worse.

From the DKIM base specification:

1.1  Overview

   DomainKeys Identified Mail (DKIM) defines a mechanism by which email
   messages can be cryptographically signed, permitting a signing domain
   to claim responsibility for the introduction of a message into the
   mail stream.  Message recipients can verify the signature by querying

and

1.2  Signing Identity

   DKIM separates the question of the identity of the signer of the
   message from the purported author of the message.  In particular, a
   signature includes the identity of the signer.  Verifiers can use the
   signing information to decide how they want to process the message.

      INFORMATIVE RATIONALE:  The signing address associated with a DKIM
      signature is not required to match a particular header field
      because of the broad methods of interpretation by recipient mail
      systems, including MUAs.




First, this makes the semantics of the signature anything but ambiguous, or at least it focuses any ambiguity on the word "responsible" rather than on the choice of identity.

Second, it explicitly decouples the responsible identity from any other identity in the message.

To repeat: the semantics of a DKIM signature are actually quite clear and precise. I'll even go so far as to suggest that a receive-side filtering engine has utterly no concern with whether the signature identity matches the From identity's domain.

Although many folks expect a coupling to exist with the From domain reference, that is a *value-added* matter for DKIM, rather than an issue with the basic mechanism.

Yes, the sender signing practises document considers the topic, but that document has received little serious review. So we should be a bit cautious about characterizing the issue in a particular way.

For example, all of this concern about having the signing identity and rfc2822.From identity be different mostly asserts that there is a problem, without explaining its nature very clearly or substantiating the validity of the problem.

d/



--

  Dave Crocker
  Brandenburg InternetWorking
  bbiw.net

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg

<Prev in Thread] Current Thread [Next in Thread>