ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] DKIM does not claim content is correct

2009-01-27 20:35:34
Doesnt have to sign *all* - but some key fields like an authenticator
and/or received headers that stamp Received: from (foo(_at_)localhost) say
are certainly going to make sense to sign.

My concern was that we are reinventing the wheel a lot when we use i=
as a substitute for these other headers, when it can be used for a
rather different and more useful purpose.

Yes I know dkim doesnt validate content .. grandma v/s botmaster is
reputation hijack, an entirely different kettle of fish and not
germane here.

--srs

On Wed, Jan 28, 2009 at 12:16 AM, Dave CROCKER <dhc(_at_)dcrocker(_dot_)net> 
wrote:


Suresh Ramasubramanian wrote:

2. DKIM signs all the headers and validation of that hash tends to be
useful to verify grandma is who she is.  Or at least its her, or its
comrade botmaster who's just taken over grandma's PC.


This is a common misunderstanding of DKIM:

1. DKIM doesn't have to sign all the header fields.

2. Independent of how much or little it signs, a DKIM signature does not
mean that any of the content is "valid", merely that data integrity has been
maintained.  In particular, there is nothing that says that the author field
accurately states who created the message.

What is delivered can be verified as what was sent.  But what was sent is
still free to be incorrect.

d/
--

 Dave Crocker
 Brandenburg InternetWorking
 bbiw.net




-- 
Suresh Ramasubramanian (ops(_dot_)lists(_at_)gmail(_dot_)com)
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>