ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] DKIM role?

2009-01-09 16:00:13
from [Franck Martin] [Permanent Link] 
http://www.dkim.org/specs/rfc4871-dkimbase.html
4.1 Example Scenarios

There are many reasons why a message might have multiple signatures. For 
example, a given signer might sign multiple times, perhaps with different 
hashing or signing algorithms during a transition phase.


5.1 Determine Whether the Email Should Be Signed and by Whom

A signer can obviously only sign email for domains for which it has a private 
key and the necessary knowledge of the corresponding public key and selector 
information. 


----------------
But more important:
----------------
i=
    Identity of the user or agent (e.g., a mailing list manager) on behalf of 
which this message is signed (dkim-quoted-printable; OPTIONAL, default is an 
empty Local-part followed by an "@" followed by the domain from the "d=" tag). 
The syntax is a standard email address where the Local-part MAY be omitted. The 
domain part of the address MUST be the same as or a subdomain of the value of 
the "d=" tag.

INFORMATIVE DISCUSSION: This document does not require the value of the "i=" 
tag to match the identity in any message header fields. This is considered to 
be a verifier policy issue. Constraints between the value of the "i=" tag and 
other identities in other header fields seek to apply basic authentication into 
the semantics of trust associated with a role such as content author. Trust is 
a broad and complex topic and trust mechanisms are subject to highly creative 
attacks. The real-world efficacy of any but the most basic bindings between the 
"i=" value and other identities is not well established, nor is its 
vulnerability to subversion by an attacker. Hence reliance on the use of these 
options should be strictly limited. In particular, it is not at all clear to 
what extent a typical end-user recipient can rely on any assurances that might 
be made by successful use of the "i=" options.
----------------

So i= and d= can be from a totally different domain than the email is sent 
from. As long as the MTA has the private key and can use it to sign.


----- Original Message -----
From: "Jeff Macdonald" <jmacdonald(_at_)e-dialog(_dot_)com>
To: "Anti-Spam Research Group - IRTF" <asrg(_at_)irtf(_dot_)org>
Sent: Saturday, 10 January, 2009 2:59:07 AM (GMT+1200) Auto-Detected
Subject: Re: [Asrg] DKIM role?

On Sat, Jan 10, 2009 at 01:54:14AM +1200, Franck Martin wrote:


The beauty of DKIM is that the a federation of University could
provide a DKIM signature for all UK education centers. Ensuring you
are dealing with properly registered education centers.


What would such a DKIM signature look like?


-- 
Jeff Macdonald
jmacdonald(_at_)e-dialog(_dot_)com

_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] where the message originated (was: DKIM role?), SM
Next by Date:  Re: [Asrg] where the message originated (was: DKIM role?) (SM), Gordon Peterson
Previous by Thread:  Re: [Asrg] DKIM role?, Franck Martin
Next by Thread:  Re: [Asrg] where the message originated (was: DKIM role?), Franck Martin
Indexes:  [Date] [Thread] [Top] [All Lists]