Jim Fenton wrote:
Stephen Farrell wrote:
Hi Jim,
Jim Fenton wrote:
SSP does require one additional semantic over that of DKIM-base: in
addition to taking responsibility for the message, those domains that
publish SSP records other than "unknown" must assert that, when the
address in the From: header field is really their domain, that this is
actually true.
That statement isn't very clear to me.
Do you mean: When a domain publishes an SSP != unknown, then it
states that it does not emit messages where the rfc2822.from
domain is outside its own domain?
If so:
- "emit" and "outside" would need defining
- should that be "messages" or "signed messages"
If not, I'm confused.
The answer is "no" so let me try again.
Suppose example.com publishes SSP "all". It signs a message with
resulting header fields:
From: Jim Fenton <fenton(_at_)cisco(_dot_)com>
DKIM-Signature: (_dot_)(_dot_)(_dot_)i=(_at_)example(_dot_)com;...
No additional assertion regarding the From: address is made in this
case. example.com is just taking responsibility for the message; it
might be doing so because it operates a mailing list or because it
allows subscribers to mail articles from "The Example Times" to their
friends.
Now suppose it signs a message with resulting header fields:
From: John Doe <jdoe(_at_)example(_dot_)com>
DKIM-Signature: (_dot_)(_dot_)(_dot_)i=(_at_)example(_dot_)com;...
In this case, the signer must make an assertion that the message indeed
originates from their domain, because a verifier using SSP depends on
the ability to correlate the From: address to the signing address.
We are depending on an assertion regarding the From: address when it
should be easy to provide: when that address is the same as that of the
signer, and not when it's difficult: when that address is something else.
Thanks for the clarification.
So the upshot of that would be that turning on SSP "all" might
require someone to do additional checks that they're not a relay
when they oughtn't be. Sounds reasonable but I don't know enough
about mail deployments to be sure myself.
A follow-up though. In the case you gave, let's assume
that example.com's "The Example Times" web form doesn't have
a captcha, so that an ad bot could ask to send a newsletter
from <<foo>>@example.com via the form. Would that be something
compliant with the SSP? (Continuing to ignore the specific
value of <<foo>>)
Ta,
S.
Again, I am not considering the issue of whether the address comparison
includes the local-part, because that's being covered under issue #1399.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html