ietf-asrg
[Top] [All Lists]

Re: [Asrg] Third party DKIM signatures

2006-06-01 08:54:16

On May 31, 2006, at 11:15 PM, John Levine wrote:

1) How does any ISP (beyond a really small geek outfit) verify that I
am authorized to use *(_at_)waltdnes(_dot_)org ?

They don't.  Fortunately, that's not what the ISP's signature means.
All a DKIM signature means is "you can blame us for this mail."

If the signing domain is taking the blame for the email they emmit, eventually they are going to tire of holding the blame and act to shift the blame where it belongs or at least stop the abuse that they are being blamed for. Except in the case of open relays I think we can safely assume that the signing domain has some knowledge of the sender to which the ISP will be able to pass the blame.

If the signing domain is authenticating the sender, which they have to do in order to not be an open relay, then the DKIM signature can be used as an extension of that authentication. As the example I presented, the user could tell a list server that the specific DKIM signing domain is a required element when accepting mail from that user. This would block most forgeries on that list except for forgeries that came from the same ISP. This local conflict can then easily be resolved by either the ISP removing the forger or the user removing himself from the ISP.

Note that this particular linking of the signing domain to the From address is local to the receiving list server and at the request of the user.


If the signing domain matches the From: domain, should we take that to
mean that the From: address is real?  I don't think we should assume
that unless the whole address is in the signature, maybe not even
then.

A sender could always forge any address used in the signature. An ISP that blindly signs the outgoing mail would inadvertently sign such a forgery. Unless there is an explicit flag that says a header has been verified you cannot infer anything more about the signed header except that it was a part of the original message. I haven't looked at any cases yet where such a flag would make DKIM signatures more useful.

-- Dan Oetting


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg