Re: [ietf-dkim] Not exactly not a threat analysis

Look, it's not acceptable for DKIM to change the semantics of From.
From can contain multiple addresses, From can contain an address other
than that of the Originator, and if a Sender field is present From has
no implied relationship with the party that originated the message.
These semantics are well-established and have been in use for around 25
years.
SSP as currently written does use Sender: (as a tie-breaker) in theevent that From: has multiple addresses. An alternative way to do thismight be to do an SSP for each address in the From: field that doesn'thave a valid signature (modulo disagreement on this point) and use themost restrictive policy found.

Sender is so widely misused in practice that you really need to define anew field for this, or better yet, just define a new one that hascleaner semantics. In particular, a message can get "sent" more thanonce, so you need to have the possibility of having multiple senders andindicating the order.

The point is that, for a variety of reasons, From really has no impliedrelationship with who sent the message, and has only a tenuousrelationship with who wrote the message. People have stood on theirheads trying to reconcile this with the desire to make the IDs ofprincipals who sign the message agree with the legacy message headers,but it just doesn't fit - there are too many different things that aredone with messages, for justifiable reasons, that invalidate thisassumption. Rather than try to change the way that existing fields areused, it makes a lot more sense to just define new fields (or parameterswithin a DKIM-Signature field) that have the semantics you want.

If you want to define a way for DKIM to say "the party who sent this
message has permission to make statements on behalf of these From
addresses" that's all well and good.  What's not appropriate is to
define DKIM in such a way as to wire in an assumption that From is
always the party who originated the message.
We need to balance here between the definitions in specifications andhow ordinary people look at email.SSP is based on From: because that'salmost always what people see and if you send someone a message, and askwho it's from, they will almost always point to it. If the recipientthinks that From is the party who originated the message, that'ssignificant.

I'm all for having DKIM be as easily understood by "ordinary people" aspossible. But trying to add new functionality to an existing userinterface, without changing that interface, just doesn't work. If youwant DKIM to add value for recipients, MUAs need to display signedmessages differently than unsigned messages anyway. It might as welldisplay the identity of the signer instead of, or in addition to, theFrom address.

Just as a proof of concept, imagine that MUAs started displaying DKIMsigned messages differently than unsigned messages: unsigned messageswould display From:, while messages signed by their authors woulddisplay something like Signed-From: e.g.:


a) From header a(_at_)b(_dot_)c; signed by a(_at_)b(_dot_)c would be displayed:

        Signed-From: a(_at_)b(_dot_)c

b) From header a(_at_)b(_dot_)c, b(_at_)b(_dot_)c; signed by a(_at_)b(_dot_)c 
would be displayed:

        Signed-From: a(_at_)b(_dot_)c [[claiming to represent a(_at_)b(_dot_)c, 
b(_at_)b(_dot_)c ]]

(presuming that the From header were included in the signature)

c) From header a(_at_)b(_dot_)c; no signature would be displayed:

        From: a(_at_)b(_dot_)c

The point is that the user interface needs to change anyway so thatusers will be aware of DKIM, and if it changes, there's no particularneed to depend on existing users' expectations about the semantics ofthe From field. They'll learn to understand the new indications.(however we would want to try to have this displayed with reasonableconsistency across different user agents)


Keith
_______________________________________________
ietf-dkim mailing list
http://dkim.org