ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Third party DKIM signatures

2006-05-31 17:37:08
from [Dan Oetting] [Permanent Link] 
On May 29, 2006, at 10:10 AM, John L wrote:
For example, all of this concern about having the signing identity and rfc2822.From identity be different mostly asserts that there is a problem, without explaining its nature very clearly or substantiating the validity of the problem.
I basically agree. As you have noted, people seem to think that it means something if the signing domain and From: domain are the same. I was hoping I could tease out what that meaning is supposed to be.
I think it is an attempt to integrate the current world with some authentication provided by the DKIM signature. Current systems such as mailing lists rely on the From identity. If a trusted ISP were to sign the message saying that the From address is valid for the user that authenticated with the ISP then the mailing list would be able to trust the From address. This has the obvious problems of how does the mailing list assign trust to the ISP and how does the ISP learn all of the valid addresses of it's users.
For a mailing list, the real solution is direct user authentication and to disregard the ISP or other delivery agent. The users signature says only that the sender is the same entity that was confirmed during the subscription process. The list would associate the From address with that entity and no other entity would be allowed to use that From address through that list.
For the interim, a user could subscribe to a list through an ISP that adds DKIM signatures. Instead of the mailing list needing to determine the trust of the ISP it is the user that assigns trust to the ISP that carries his messages. Only a forgery that used the same ISP would then be accepted by the list. It would be up to the user to then sort the problem out with the ISP.
It may help to preemptively address the forgery issue if the ISP were to insure that the From address were valid before signing the message. But this is an issue between the ISP and the user. If an ISP is going to allow forged addresses why would their signature verifying the address make any difference? 

-- Dan Oetting


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Third party DKIM signatures, John L
Next by Date:  Re: [Asrg] Third party DKIM signatures, Walter Dnes
Previous by Thread:  Re: [Asrg] Third party DKIM signatures, John L
Next by Thread:  Re: [Asrg] Third party DKIM signatures, Walter Dnes
Indexes:  [Date] [Thread] [Top] [All Lists]