ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] NEW ISSUE: Limit the application of SSP to unsigned messages

2007-12-10 13:29:34
Mike,
Eliot Lear wrote:
Dave's concern is over the
definition of the message originator.  If a reputation check of some
form is done on a valid signature and found to be positive, I see no
reason to continue the SSP process.
  

I certainly agree that if this isn't clear it should be made to be clear.
But what's unclear to me is that it has anything to do with the text
in the draft or whether it's some people's preconceived notions. 

Here are the relevant definitions:

2.3.  Originator Address

   The "Originator Address" is the email address in the From header
   field of a message [RFC2822], or if and only if the From header field
   contains multiple addresses, the first address in the From header
   field.


2.8.  Originator Signature

   An "Originator Signature" is any Valid Signature where the signing
   address (listed in the "i=" tag if present, otherwise its default
   value, consisting of the null address, representing an unknown user,
   followed by "@", followed by the value of the "d=" tag) matches the
   Originator Address.  If the signing address does not include a local-
   part, then only the domains must match; otherwise, the two addresses
   must be identical.

For purposes of our discussion, let us consider the case where I have
received a message from Joe(_at_)StrictSSP(_dot_)COM via a mailing list
mailing-list(_at_)good-reputation(_dot_)com that has somehow broken the Joe's 
DKIM
signature, perhaps by appending some text at the bottom.  The MTA for
good-reputation.com has signed the message.  Section 4.4 Step 1 does not
directly state that I can use that signature as a valid signature.  Let
us assume that handling=deny and that dkim=all in this example.  Because
I do not have a valid originator signature I proceed to Step 2 and query
for _ssp._domainkey.StrictSSP.COM.

I believe this is undesirable.  It would be better to have the check
earlier, say in step 1, but I recognize this presents a problem with
strict, because you never make an SSP query to determine if strict
conditions apply.  To solve this one could add a flag to the DKIM DNS
record.

Eliot
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>