ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] The (really) latest SSP draft

2007-10-22 13:50:11
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So if he said i=subdomain.example.com, then surely the From/Sender  
can be expected to be from that subdomain; and if he said  
i=someone(_at_)example(_dot_)com, then surely recipients can assume that  
'someone' had indeed played some part in sending it.


Absolutely not. DKIM is a protocol in which one administrative domain  
speaks primarily to other administrative domain. It's not a domain-to- 
user protocol nor a user-to-anything protocol. The i= parameter can  
be anything the signing domain wants it to be. It is unlikely to be  
an outright lie (for example, I mark all mail coming from alice with  
bob), but it may be.

Suppose you have "sales(_at_)example(_dot_)com" whereby any salescritter can  
send an email coming from the sales department. Both Alice and Bob  
are sending emails, and the DKIM signer is going to mark it as  
"sales(_at_)example(_dot_)com". That's well enough, because it doesn't matter 
to  
you if Alice or Bob sent it.

However, unbeknownst to you, Alice has told Marketing about their  
fancy mail system and because of that Marketing mail also gets marked  
as i=sales(_at_)example(_dot_)com(_dot_) To make things worse, Bob told the HR  
department and all their job recruiting mail also goes out from that  
MTA and thus is marked as sales as well.

The IT staff knows about this and isn't happy, but they either have  
to turn a blind eye to it or set up servers from Marketing and HR,  
and that's not in the budget. So they just turn a blind eye to it.

        Jon


-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.6.3
Charset: US-ASCII

wj8DBQFHHQn9sTedWZOD3gYRAnHRAKD96cwXDL/cCwSRlFba3VAPARKM6wCcDQ9i
Rk0xpb/ZgR6BXVqcigUm4kM=
=hhyj
-----END PGP SIGNATURE-----
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html