ietf-dkim
[Top] [All Lists]

[ietf-dkim] ADSP and From header authentication?

2008-10-22 20:56:59
http://www.ietf.org/internet-drafts/draft-kucherawy-sender-auth-header-16.txt

The sender-auth draft provides a mechanism for use when ADSP records  
are discovered, the From header field can be captured within an  
Authentication-Results header.  The purpose of the Authentication- 
Results header is to convey to MUAs the results of various message  
"authentication" checks.  Because the Author-Signature definition  
limits what is allowed within a compliant DKIM signature, neither  
ADSP, Sender-ID, or SPF can properly be described as providing an  
authentication of the From header field, PRA, or the MAILFROM email- 
address respectively.  The Author-Signature definition prevents a  
complaint signature  "on-behalf-of" value from indicating a From  
header field has not been authenticated.

In addition, the path registration process of Sender-ID and SPF only  
authorize an SMTP client.  An authorized SMTP client will not safely  
convey an assurance that the corresponding email-address was  
authenticated to represent the author or even being a valid use of the  
email-address.  Often thousands of email-domains share a common  
outbound server that might have only 8 IP addresses.  Clearly, an IP  
address is not assured to relate to any specific email-address.

S/MIME and OpenPGP provide a means to authenticate an email-address.   
At this time, due to the Author-Signature definition, DKIM-ADSP does  
not.  DKIM without ADSP could offer an assurance that an email-address  
was authenticated, since the signature is free to indicate what the  
signing domain actually authenticates.  What the signing domain  
authenticates often differs from that of an email-address contained  
within the From or Sender header field.  The authentication-header  
draft overstates to a dangerous degree what these mechanisms  
accomplish by using the term authentication.  Fixing the ADSP Author- 
Signature definition would help eliminate the assumption of  
"authenticated" with respect to DKIM-ADSP.

-Doug







_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>