I have run a series of tests, where I sign a message (sent by me) but with only
the Return-path containing my domain (DKIM does not sign the return-path as
recommended in the spec).
I used the DKIM reflectors on www.dkim.org
and the assessment I got was: neutral (none of the signed field contain the
domain of the signer).
like if it is wrong.
I think it should be a pass. I fear that many people that verify DKIM make the
same mistake.
I'm thinking of adding an X-header that will contain my domain and sign it via
DKIM and see if the reflectors are happier.
----- Original Message -----
From: "Dave CROCKER" <dhc(_at_)dcrocker(_dot_)net>
To: "Anti-Spam Research Group - IRTF" <asrg(_at_)irtf(_dot_)org>
Sent: Tuesday, 13 January, 2009 4:27:20 AM (GMT+1200) Auto-Detected
Subject: Re: [Asrg] where the message originated
Steve Atkins wrote:
On Jan 12, 2009, at 4:44 AM, Alessandro Vesely wrote:
Hm.. I'm not much into DKIM. It technically allows to sign false
identities, but doesn't (or shouldn't) it semantically imply that the
signers must have some (possibly small but still positive) degree of
trust that what they sign is correct?
No. The signature only means that the message you received was the one
signed by the signing identity.
Not quite right. Or rather, not quite complete. And I'm compelled to pick
this
nit, since it is fundamental to discussion about DKIM's purpose.
What you've described is a data integrity function. Yes, DKIM performs that on
the portions of the message it lists in the DKIM-Signature: header field.
However, data integrity is a side-effect of DKIM and not it's actual purpose.(*)
It's purpose is: "DKIM allows an organization to take responsibility for
transmitting a message, in a way that can be validated by a recipient. "
So the requirement on the signer is to choose naming granularity and use that
will provide the recipient with a stable label of a message stream.
The receiver is supposed to take the identifier being proffered by the signer
and run it through an assessment process.
Presumably, a fake or transient or new identifier is likely to get far less
trust than one with a track-record. As noted, the intended benefit of DKIM is
across a message stream, with the identifier being used to label that stream
consistently.
d/
(*) In fact, one can argue that DKIM doesn't perform data integrity all that
well, to which the response is that that's ok, it does it well enough for
validating the use of the identifier.
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg