On 4/27/10 10:34 AM, Murray S. Kucherawy wrote:
-----Original Message-----
From: Jeff Macdonald [mailto:macfisherman(_at_)gmail(_dot_)com]
Sent: Tuesday, April 27, 2010 10:05 AM
To: McDowell, Brett
Cc: Murray S. Kucherawy; ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] Wrong Discussion - was Why mailing lists
should strip DKIM signatures
That's interesting. Let's make this concrete... I'll use myself as
an example.
X = me/PayPal.com
Y = this list/ietf-dkim(_at_)mipassoc(_dot_)org
Z = Google's Gmail service [1]
It is my assumption that someone subscribed to this list has a
gmail.com account (or a Yahoo.com account [2]). Therefore, my use case
is simple. I would hope that those of you reading this from your Gmail
or Yahoo! accounts actually receive this message. If Z breaks the
signature, you won't see this.
how about Y breaking the signature? I see your message only because I
told gmail's filtering system to not put messages into the spam folder
for this list. Otherwise it would of gone into the spam folder.
Looking at the source of the message, I only see the list's DKIM
signature.
Y breaking the signature isn't relevant (in this hypothesis). Y also says
when it got the message from X, X's signature was intact. That Y messed up
the signature, making Z unable to verify it directly, is not important; Z
trusts Y, so Z trusts Y's Authentication-Results: that says X's signature was
fine when it got to Y.
While messages with intact DKIM signatures of financial institutions
offers reasonable protection, acceptance of broken signatures validated
by some third-party's authentication-results header would impose
significant risk. Any mailing list that does remove
authentication-results headers would provide easy exploits of X.
Should the policy statements be ignored at that point?
In this hypothesis, they could be. Or, they could be applied. If X's ADSP
says "all" or "discardable", and Z trusts Y, and Y claims X's message had a
valid signature, ADSP is satisfied.
Acceptance of DKIM messages signed by Y is likely to be less strict than
those by X, and likely to overlook broken signatures or lack of
authentication-results headers. However, an authorization scheme able
to scale to any number of such lists using a single DNS transaction
ensures X remains in control of the acceptance of their messages,
without needing special private arrangements for making specific exceptions.
Since X has the most at stake, an authorization scheme would allow X to
indicate which ADSP acceptance exceptions are desired. The indication
could be made on behalf of X through some designated vouching service,
or directly by X when they they have audited the domains being used by
them. The ADSP record could include a flag to alert recipients of the
existence of an added third-party authorization mechanism.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html