On Feb 4, 2008, at 8:24 PM, Hector Santos wrote:
ASP cracks opens the door to DKIM abuse and your unintentional
"typos" example proves it.
Typos prove one must not be in a hurry.
Per the ASP definition, the domain of the DKIM signature MUST BE
authoritative for the domain within the From header email-address.
The ASP definition even takes this a step further and says i= and
email-address domains must match, which IMHO is being too strict.
The definition in the ASP draft allows the state of the signature to
just include:
a) valid/invalid
The ASP definition could be expanded by using the domain within the
signature's d= parameter, rather than the domain within the i=
parameter. When the i= domain is a sub-domain of a valid signature's
d= domain, the key can not have a sub-domain restriction. Therefore,
it is safe to use the d= parameter of valid signatures instead and
require the From domains in question to be at (match) or below the
signature's d= domain.
The Author Signature Definition should change to:
An "Author Signature" is any Valid Signature where the signing domain
(listed in the "d=" tag) matches or is above the domain of an
Author Address.
Do you think software is going to know the difference now if your
3rd party signature was a typo, syntactically valid but unexpected
or otherwise?
If software were unable to extract the domain of the signature and
compare this against a domain found in the From header, there would be
no point in referencing SSP records. So yes, software must be able to
determine a difference between a third-party domain and that of the
From domain. A typo within the signature would not provide a valid
signature. A typo in the From domain would exclude the signature as
being authoritative, where the message where domains do not compare
would have a third-party signature. The policy obtained would be that
of the From domain.
Reread the definition of the ASP Author Signature definition again.
The term Author Signature is perhaps poorly considered. To correlate
with your perspective, "Author Signature" could be called "First Party
Signature". A "First Party Domain" would be the domain of an email-
address within the From header. A message would be considered "all"
or "discardable" compliant when all First Party Domains are signed by
a First Party Signature. The only ignored element for compliance
assessment would be that of the signature's i= parameter local-part.
ASP has removed a 100% ZERO FALSE POSITIVE PROTECTION mechanism and
it will not help DKIM signers if they can buy into this ASP in its
flawed state.
I do not understand your statement. How is the ASP definition
flawed? The ASP definition appears to be overly restrictive,
especially for domains utilizing sub-domains to partition users.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html