ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Responsibility vs. Validity

2007-11-29 04:37:05
On Wed, 28 Nov 2007 18:46:27 -0000, Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> wrote:

On Nov 28, 2007, at 5:35 AM, Charles Lindsey wrote:

Essentially, the signature MUST include the From header (others are at the signer's discretion). So, at a minimum, the signer is asserting that this message came into bis possession via a route that indicacted that its origin was within the domain within the From (mailing list signatures excepted, of course). If the signer is not prepared to vouch for that, then he has no business signing it.

Many providers do a good job, and only ensure behaviour of those granted access. These providers might not require From email-address vetting equivalent to that of S/MIME certificates before granting access. Such a provider may wish to ensure recipients that their outbound SMTP clients sign _all_ outbound messages. If this assurance were possible, it could avoid complaints related to any spoofing which does not include their signature. This is different from saying that all email-addresses within the From header are assured to belong to the purported author, as some might wish to assume. SSP does _not_ allow this distinction. SSP policy is From domain centric, rather than from the perspective of the SMTP client.

If there are multiple addresses in the From header, then there is supposed to be a Sender. In that case, the signer (who SHOULD then include the Sender in the signature) is asserting that the messages arrived into his possession from the Sender rather than from the From. But in the absence of a Sender header, then the signer is vouchong for the From. What steps the signer takes to satisfy himself that either the Sender or the From is one of its legitimate clients is another matter, but such steps must not be entirely absent.

Note that a mailng list expander is supposed to insert a Sender.

--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131     Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html