ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] The (really) latest SSP draft

2007-10-29 10:01:32
from [Michael Thomas] [Permanent Link] 
Charles Lindsey wrote:
On Sat, 27 Oct 2007 16:13:47 +0100, Dave Crocker <dhc(_at_)dcrocker(_dot_)net> wrote:
Discussion about raw DKIM signing sometimes seems to have the underlying view that the From field is validated as being accurate. At the least, this seems to vary among different folk. I wanted to see whether there is a clear view one way or the other.
I think it is clear from replies so far that a DKIM signature certifes no more than "This is the state of the headers at the time I constructed the signature", which is rather weak. 

I think it's somewhere between these two. DKIM implementations should
all have access control to which messages do and do not get signed. You
don't what to take responsibility for that which you are not responsible,
after all. This is especially true of origination address (from, sender...). I 
took a poll at the interop to make certain that implementations had that
access control and was pleasantly surprised that they had considered the
issue.
OTOH, there is that mention of "responsibility" which seems to imply something stronger; but since "responsibility" is not defined, it is still rather meaningless.
I suppose there is also an implication in a signature that "I am authorised to issue signatures on behalf of the domain in question", but that is still rather weak. 

I have no idea what "strong" or "weak" mean in this context. A dkim
signature is what it is.
I'm not suggesting "fixing" DKIM. I'm seeking clarity among the community. (It's a California thing.)
So I think RFC 4871 ought to be "fixed" (unless we can find some way of fixing it in SSP, for example by enabling the SSP record to assert "we only sign where the From/Sender has been verified"). 




This is a useless assertion from the signer, as there is no way that
the receiver can independently verify that they are not lying. In
practice, I don't think this makes a particle of difference as signers
don't want to be taking responsibility for things they aren't responsible
for so there is incentive built in to make that relationship correct,
fsvo "correct". Sorry if that's not absolute enough for you, but the
internet is built on fsvo "correct".

      Mike
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] The (really) latest SSP draft, Stephen Farrell
Next by Date:  Re: [ietf-dkim] The (really) latest SSP draft, Douglas Otis
Previous by Thread:  Re: [ietf-dkim] The (really) latest SSP draft, Stephen Farrell
Next by Thread:  Re: [ietf-dkim] The (really) latest SSP draft, Douglas Otis
Indexes:  [Date] [Thread] [Top] [All Lists]