ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] SSP-01 Intro's definition of forgery a bit imprecise

2007-11-15 04:57:45
On Wed, 14 Nov 2007 23:50:17 -0000, Jim Fenton <fenton(_at_)cisco(_dot_)com> 
wrote:

Douglas Otis wrote:
Introduction:

,--
| ... However, some domains may choose to sign all of their
| outgoing mail, for example, to protect their brand name.  It is
| highly desirable for such domains to be able to advertise that fact
| to verifiers, and that messages claiming to be from them that do not
| have a valid signature are likely to be forgeries.  This is the topic
| for sender signing practices.
'--

This statement overlooks messages forwarded by mailing-lists and the
like where a signature might become invalid.

Perhaps change "claiming to be from them" to "claiming to be directly
from them".

DKIM tries to be as path-agnostic as possible, so the word "directly" is
problematic.  If it goes through a transparent (non-modifying)
forwarder, is it "directly from them"?  Probably not, so this wording
understates DKIM's value.

My interpretation of "directly" in the above text is that it implies

"if this message arrives without evidence of intermediate forwarding/mail-list-expansion/whatever, and its signature is bad/absent, then that is a cause for immediate and grave suspicion. But if there is evidence of such forwarding, then further investigation of whether such forwarding might removed/broken our original signature could be taken into account".

So if the forwarder has resigned (or even better certified that the original sugnature was good when seen by him) then a site that is prepared to trust the forwarder might choose to be less suspicious.

If that is the intention of "directly", then it is probably fine to include it (or mayube something more explicit, since "directly" seems toi have been misunderstood.

OTOH, my interpretation of "strict" means "please be suspicious if the signature is absent/bad even if there is plausible evidence of mangling by a forwarder".

--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131     Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html