Re: [ietf-dkim] Seriously.

Douglas Otis wrote:

On Jan 23, 2008, at 10:11 PM, Jim Fenton wrote:
Ned Freed wrote:
I would really love it if we could get past the meta-discussion of"is the multiple From: case important?" to the proposals that havebeen made to address the issue. These include:
1. Perform SSP checks on the domains of all From addresses in themessage, with the exception of addresses having valid AuthorSignatures. If any of the checks result in a Non-Compliant(formerly Suspicious) result, then the message is consideredNon-Compliant.
or
2. In the case of multiple From: addresses in the message, and thedomain part of one of the addresses matches the domain part of theSender address, then perform an SSP check on that address unless ithas a valid Author Signature. If the Sender header field does notmatch the domain of one of the from address or is missing[violating 2822], revert to alternative #1.
This is an interesting, even novel approach. I'm still trying toevaluate it. One question I have is how it would interact with whatheaders are covered by the author signature. In particular, does theSender: field in this case have to be covered by the signature?
It might need to be, but I have a bigger concern about alternative2. The Sender address and From address(es) have different meanings.Just because a particular author happens to be the sender of themessage, should that affect which domains' signing policies apply? Ican't see why it should, which is why I favor alternative 1 giventhat we're not going to do something arbitrary in the multiple-Fromcase.
Jim,
The Author's email-address is not contained within the Sender header.When a message is not complaint with policy, the signing domain MUSTNOT apply their signature. SSP confirms the policy of the signingdomain when policy is not already apparent via their signature. SSPis not about the policy or identity of the author as you seem to suggest.

First two sentences:  Agree

Second two sentences: Disagree strongly. Policy associated with avalid signature more properly belongs in the key-record (selector)referenced in the signature (example: acceptable hash algorithms). SSPhas to do with messages lacking, potentially, any valid signature atall, and the author domain(s) is/are used as the key to retrieve SSPfrom it/them.

Ned accurately said when a signing domain is also authoritative forFrom address domain in question, then this email-address can beconsidered signed as well. The signature's hash for some identitywithin the signature's domain MUST include all From email-addresses.When the signature's domain is authoritative for the From'semail-address's domain, (unless by a g= restricted key) the messageMUST BE assumed to meet the signing domain's policies.

My concern has to do with whether the SSP of the other From (author)domains has to be considered as well. Just as the point has been madethat it's not proper to handle this case by arbitrarily picking thefirst From domain, I believe that it's also not proper to use Sender forthis purpose. Given that belief, the question of whether Sender issigned or not is moot.

RFC 4871 has some dangerous gaps within the specification. A g=restricted key can be used to sign on-behalf-of any header. Theidentity contained within the signature might match that of someheader, however this header is not required to have been includedwithin the signature's hash.

There was language in earlier versions of the dkim-base draft, "anyheader field that describes the role of the signer...MUST also beincluded" but that text was removed by WG consensus. I don't considerthis to be a dangerous gap, however. RFC 4871 describes the process forconstructing and verifying DKIM signatures; the context for what validsignatures are useful for what purposes lies outside that scope.


-Jim

_______________________________________________

NOTE WELL: This list operates according tohttp://mipassoc.org/dkim/ietf-list-rules.html