On Wed, 2 Aug 2006, Damon wrote:
Are you saying the the receiving MTA is not going to know what IP it
received the message from?
More precisely the system doing DKIM checking is not going to know it
or even more precisely we should not assume that it would have any
knowledge about it (at least not on the protocol level).
or are you saying that there may be multiple receiving MTA's that will each,
in-turn, check the signatures?
That may happen, but it is not the core of the problem. The core is that
DKIM is message content based verification system and thus should not be
tied to SMTP session.
Here I see it breaking. Could you include
this information in the DKIM header information then?
Yes. Just add a tag which specifies FQDN name of the host that added the
signature. I talked about it long time ago on mailsig mail list.
Mixing DKIM and SPF was where I expected to get flamed- In which case, it
is
> just as easy to set the CIDR's in the DKIM dns entry. While it is
SPF-like
> it doesn't mean this really good idea can't be reused.
CIDR does not make sense with DKIM. Listing of domains or servers does
make sense.
CIDR's would not require many more additional lookups.
Come on William.. how many good arguments do I need to convince you ;)
>
> Regards,
> Damon
>
>
> On 8/2/06, william(at)elan.net <william(_at_)elan(_dot_)net> wrote:
>>
>>
>> Some people unfortunetly never introduced tag (present for example in
IIM)
>> specifying which server actually adds DKIM signature. This makes it
>> impossible to extend in the way you proposed as receiver would not know
>> server/network responsible for adding particular signature when email
>> is actually being proposed. As far as what you proposed about SPF I
>> would advise against it due to different identities being involed at
>> DKIM and SPF and mixing it up is a security hole that may only become
>> apparent long time in the future.
>>
>> On Wed, 2 Aug 2006, Damon wrote:
>>
>> > I know that I am writing this a great risk of being flamed but the
more
>> I
>> > think about it the better it sounds to me.
>> > I believe that it will help with the "I sign some mail" and "I sign
no
>> mail"
>> > issues.
>> >
>> > What about using an additional tag to specify where I always sign
mail
>> from.
>> >
>> > Such as "I always sign mail from servers on my SPF record or CIDR(s)"
>> >
>> > _domainkey DNS TXT record adding the additional tag (w):
>> >
>> > example._domainkey.example.com. IN TXT "g=; w=spf or
>> (<cidr>[,<cidr>,...]);
>> > k=rsa; p=<key>"
>> >
>> >
>> > This way, domains can junk "I sign some mail" can specify that "I
always
>> > sign based on my (w) tag"
>> >
>> >
>> >
>> > Flame away!
>> >
>> > Regards,
>> > Damon Sauer
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html