ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Resigner Support of RFC 5617 (ADSP)

2009-10-13 06:04:46


--On 12 October 2009 09:36:25 -0700 Michael Deutschmann 
<michael(_at_)talamasca(_dot_)ocis(_dot_)net> wrote:

On Mon, 12 Oct 2009, Ian Eiloart wrote:
It also seems to me that there must be a difference between "dkim=all"
and "dkim=discard". Publishing "discard" should mean that there's no

My understanding is that the all/discard distinction is orthogonal to
the mailing list issue.

I think the motivation for discard is to give guidance when someone
realizes a message seems to be forged after it has already been accepted
by their MX.

You don't have to accept a message just because you've seen the body. You 
can still reject it at SMTP time without generating a bounce message. Oh, 
but of course if you have accepted it, then you want to know whether you 
can discard it.

This could happen, say, if a user at a DKIM-unaware ISP
installed a DKIM-analysing plugin into their MUA.

In this situation, there are only three choices:

1. Send a bounce message
2. Drop it silently
3. Ignore the validation failure and show it to the user anyway.

# 1 is clearly unacceptable in this day and age, since in the frequent
case that the message was indeed forged, the bounce would be backscatter.
(Unless perhaps SPF asserted the provenance of the bounce address.)

dkim=discard hints that people in this situation should take option #2.
It would be appropriate for sites that really, really, don't want their
users to ever see a phish.

Right. Now, if you're a mailing list operator, and you see a message with a 
good dkim signature that you're about to break, what should you do with it? 
I don't think you should deliver it if ADSP says "discard". I think you 
should bounce it while it's still bounceable, or even reject at SMTP time.

If ADSP says "all", I think you should add your own signature, covering the 
list headers that you've added and the rest, and deliver the message. Let 
the recipients measure your reputation, since the original signature is 
broken, they can't measure the OP's reputation.

So, I don't think this is orthogonal.

dkim=all hints that people in this situation should take option #3.  It
makes mail less likely to be mysteriously lost if there is a screwup in
the signing of the legitimate mailstream.

Ideally, of course, all improperly signed mail would be rejected at CR LF
'.' CR LF, and this distinction would be irrelevant.


discard, all, and except_mlist thus cover three corners of a
square.

What are the dimensions on that square?

In theory we could have a fourth option, that provides for silent discard
of mail that fails DKIM and is clearly not legitimate mailing list
traffic.  But I don't think anyone would ever use it.

---- Michael Deutschmann <michael(_at_)talamasca(_dot_)ocis(_dot_)net>
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html



-- 
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>