On May 31, 2006, at 11:15 PM, John Levine wrote:
1) How does any ISP (beyond a really small geek outfit) verify
that I
am authorized to use *(_at_)waltdnes(_dot_)org ?
They don't. Fortunately, that's not what the ISP's signature means.
All a DKIM signature means is "you can blame us for this mail."
If the signing domain is taking the blame for the email they emmit,
eventually they are going to tire of holding the blame and act to
shift the blame where it belongs or at least stop the abuse that they
are being blamed for. Except in the case of open relays I think we
can safely assume that the signing domain has some knowledge of the
sender to which the ISP will be able to pass the blame.
If the signing domain is authenticating the sender, which they have
to do in order to not be an open relay, then the DKIM signature can
be used as an extension of that authentication. As the example I
presented, the user could tell a list server that the specific DKIM
signing domain is a required element when accepting mail from that
user. This would block most forgeries on that list except for
forgeries that came from the same ISP. This local conflict can then
easily be resolved by either the ISP removing the forger or the user
removing himself from the ISP.
Note that this particular linking of the signing domain to the From
address is local to the receiving list server and at the request of
the user.
If the signing domain matches the From: domain, should we take that to
mean that the From: address is real? I don't think we should assume
that unless the whole address is in the signature, maybe not even
then.
A sender could always forge any address used in the signature. An ISP
that blindly signs the outgoing mail would inadvertently sign such a
forgery. Unless there is an explicit flag that says a header has been
verified you cannot infer anything more about the signed header
except that it was a part of the original message. I haven't looked
at any cases yet where such a flag would make DKIM signatures more
useful.
-- Dan Oetting
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg