ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] where the message originated

2009-01-12 15:04:01
from [Franck Martin] [Permanent Link] 
I have run a series of tests, where I sign a message (sent by me) but with only 
the Return-path containing my domain (DKIM does not sign the return-path as 
recommended in the spec).

I used the DKIM reflectors on www.dkim.org

and the assessment I got was: neutral (none of the signed field contain the 
domain of the signer).

like if it is wrong.

I think it should be a pass. I fear that many people that verify DKIM make the 
same mistake.

I'm thinking of adding an X-header that will contain my domain and sign it via 
DKIM and see if the reflectors are happier.

----- Original Message -----
From: "Dave CROCKER" <dhc(_at_)dcrocker(_dot_)net>
To: "Anti-Spam Research Group - IRTF" <asrg(_at_)irtf(_dot_)org>
Sent: Tuesday, 13 January, 2009 4:27:20 AM (GMT+1200) Auto-Detected
Subject: Re: [Asrg] where the message originated



Steve Atkins wrote:

On Jan 12, 2009, at 4:44 AM, Alessandro Vesely wrote:

Hm.. I'm not much into DKIM. It technically allows to sign false 
identities, but doesn't (or shouldn't) it semantically imply that the 
signers must have some (possibly small but still positive) degree of 
trust that what they sign is correct?


No. The signature only means that the message you received was the one 
signed by the signing identity.



Not quite right.  Or rather, not quite complete.  And I'm compelled to pick 
this 
nit, since it is fundamental to discussion about DKIM's purpose.

What you've described is a data integrity function.  Yes, DKIM performs that on 
the portions of the message it lists in the DKIM-Signature: header field. 
However, data integrity is a side-effect of DKIM and not it's actual purpose.(*)

It's purpose is:  "DKIM allows an organization to take responsibility for 
transmitting a message, in a way that can be validated by a recipient. "

So the requirement on the signer is to choose naming granularity and use that 
will provide the recipient with a stable label of a message stream.

The receiver is supposed to take the identifier being proffered by the signer 
and run it through an assessment process.

Presumably, a fake or transient or new identifier is likely to get far less 
trust than one with a track-record.  As noted, the intended benefit of DKIM is 
across a message stream, with the identifier being used to label that stream 
consistently.

d/

(*)  In fact, one can argue that DKIM doesn't perform data integrity all that 
well, to which the response is that that's ok, it does it well enough for 
validating the use of the identifier.

-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] where the message originated, Steve Atkins
Next by Date:  Re: [Asrg] where the message originated, Michael Thomas
Previous by Thread:  Re: [Asrg] where the message originated, Dave CROCKER
Next by Thread:  Re: [Asrg] where the message originated, Michael Thomas
Indexes:  [Date] [Thread] [Top] [All Lists]