On Tue, 05 Feb 2008 01:00:55 -0000, Douglas Otis <dotis(_at_)mail-abuse(_dot_)org>
wrote:
On Feb 4, 2008, at 10:15 AM, Hector Santos wrote:
From: person(_at_)example(_dot_)com
Sender: other-person(_at_)example(_dot_)com
DKIM-Signature: d=example.com i=other-person(_at_)example(_dot_)com (g=*)
But this isn't a 3rd party signature. The signing domain is the same
as the from domain, or did you try to throw in a "near-phish" domain,
or is that a typo? "exPample.com" ???
Agreed. This is not _really_ a third-party signature. The definition
for "Author Signature" used in SSP might make a signature with the
_same_ domain non-compliant (a third-party) when evaluating an SSP "all"
or "discardable" assertions.
See SSP-02 section 2.8. Author Signature
An "Author Signature" is any Valid Signature where the *identity* of
the user or agent on behalf of which the message is signed (listed in
the "i=" tag or its default value from the "d=" tag) *matches* an
*Author Address* in the message.
Compare this with ASP-00 section 2.8. Author Signature
An "Author Signature" is any Valid Signature where the signing *domain*
(listed in the "i=" tag if present, otherwise its default value,
consisting of the value of the "d=" tag) *matches* the *domain* of an
Author Address.
Yes, Doug is right, but he doesn't half make it hard for the rest of us to
figure out what he is getting at.
So, if i= is present, its domain must be the (a sub-)domain of the d=.
If it has a local-part, that must be a subset of the g=, but it is
otherwise merely informative and plays no part in validating a signature.
If you really want to ensure that the Author has that local-part, then you
need to write something in your g= tag.
So on that basis the SSP-02 definition above is inconsistent with RFC
4871, whereas the ASP-00 definition is spot-on.
That makes the signature in the example above OK under all SSP rules,
because the domain in the i= matches the domain in the From.
A more interesting question is the case:
From: person(_at_)example(_dot_)com
Sender: other-person(_at_)example(_dot_)com
DKIM-Signature: d=example.com i=other-person(_at_)example(_dot_)com
g=other-person
h=...,sender,...
Is that a 1st party signature? Surely 'yes' because no third party has got
in on the act yet.
Does it satisfy SSP=strict/all?
Not as SSP is currently written, but IMHO it should (and even so in the
case where the From was person(_at_)another-example(_dot_)com). It is just a matter
of how you define "Author", or of writing "Author or Sender address",
subject to some restrictions, in the definitions above.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html