ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ietf-dkim] Re: Where to look for the signing practice

2006-08-23 12:08:47
from [Scott Kitterman] [Permanent Link] 
On Wednesday 23 August 2006 14:41, Jim Fenton wrote:

[changed the subject line because this is straying a bit from the
delegation topic]
Hector Santos wrote:

From: "Jim Fenton" <fenton(_at_)cisco(_dot_)com>
Sorry, having trouble keeping the context of the discussion right.

This could be done, but dilutes the simplicity argument that motivated
the Authorized Signing Domains approach in the first place.  Formerly
the ISP just signed using their own domain name; now they must create a
subdomain for each of their customers, publish keys there, and sign each
using the proper subdomain?  Or do they sign using 
i=(_at_)cust49(_dot_)isp(_dot_)com and
d=isp.com perhaps?

But there is a residual problem.  Suppose jdoe(_at_)mipassoc(_dot_)org is a
subscriber to this list and someone spoofs a message from
jdoe(_at_)mipassoc(_dot_)org to the list.  
ietf-dkim(_at_)mipassoc(_dot_)org accepts the
message and sends it to isp.com, their Authorized Signing Domain, and it
is signed and sent.  Is the signature from jdoe (the author) or
ietf-dkim (the mailing list)?  Without Authorized Signing Domains, you
could tell by looking at the local-part of i=.  But now you can't.  I
think this is an important distinction, even if it only applies in a
subset of use cases.


Jim,

I consider the baseline situation where verifiers receiving non-signed
messages and what you would use from the minimum 2822 headers available
to extract the domain policy information.

What will that be?

In other words, if you have:

  Received:
  From:
  To:
  Subject:
  Date:

and no other DKIM fingerprints, what do you use to get the DKIM signing
practice?




According to draft-allman-dkim-ssp-01, section 2.2, it would be the
From: address (or the first From address in the rare case that there is
more than one).  However, that's just a proposal at this point, but
since you ask "what do you use", that's what I would use.



Agree it's From, but if there are multiple From's then I think you have to 
query them all up to some processing limit (set to prevent DoS).  If you just 
check the first one and there are MUA's the display multiple ones or perhaps 
just the last one (I don't know, I've never actually seen a multi-From 
message) then you've left a hole.

Scott K
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Delegating responsibility: a make vs. buy design decision, Scott Kitterman
Next by Date:  Re: [ietf-dkim] Delegating responsibility: a make vs. buy designdecision, Hector Santos
Previous by Thread:  [ietf-dkim] Where to look for the signing practice, Jim Fenton
Next by Thread:  [ietf-dkim] Re: Where to look for the signing practice, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]