Comments in-line at the risk of this getting overly long....
-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org [mailto:ietf-dkim-
bounces(_at_)mipassoc(_dot_)org] On Behalf Of John R. Levine
Sent: Monday, May 10, 2010 3:44 PM
To: dcrocker(_at_)bbiw(_dot_)net
Cc: DKIM List
Subject: Re: [ietf-dkim] list vs contributor signatures, was Wrong
Discussion
On 5/7/2010 10:07 AM, John R. Levine wrote:
No, all it says is "we signed this mail." A signer with a good
reputation
will presumably rarely sign mail where the From: address actively
misidentifies the sender, but that's a second order effect.
"misidentifies" covers quite a lot.
I used it to mean that the From: address doesn't have a reasonable
connection to any of the persons or entities that composed the
message,
for some reasonable definition of reasonable.
That would be acceptable if you could avoid the use of the word
reasonable 3 times in a one sentence explanation of your intent.
If I send mail from bbiw.net (well, actually, sbh17.songbird.com is
my
standard MSA) but label the From: field as being gmail.com, that's
reasonable
to classify as "misidentifying" the From: address, since songbird
has
nothing
to do with gmail.
No, that's not misidentification. It may be something else, but we
need
more precise terminology, preferably that avoids loaded terms like
"forgery".
We have been saying we need more precise terminology for years.....
Operator-based signing is typically meaning that the message was
posted
by an
authorized user. There's absolutely no implication that the
operator
checked
or enforced the contents of the From: field.
That entirely depends on what you know about the signer. Two of the
largest signers, Google and Yahoo, mechanically check that the user
receives mail at the From: address. One of the smallest, me, knows
his
users well enough to be confident that they won't do hostile address
fakery even though I don't enforce anything mechanically beyond adding
trace headers. I have other opinions about other signers.
Opinions of signers? This takes us dangerously into reputation territory
<G>.
I'm realizing that a basic problem we have with explaining DKIM is
that it
makes semantic rather than operational assertions about messages.
Since we
are nerds, many of us deeply want to assign operational definitions,
like
"the people who know the passwords to the MTA that emitted this mail
also
know the passwords to the DNS server for the domain in the From:
line",
but they don't work, particularly for list mail in which the only
operational definition of a good list is one where the recipients like
what it sends.
The me part of we has looked deep into myself and found no such feelings
hiding in any nook or cranny.
So here's a scenario. Let's say I run a political satire mailing
list, to
which members contribute wacky messages pretending to be from famous
people like billg(_at_)microsoft(_dot_)com or
sarko(_at_)elysee(_dot_)fr(_dot_) I use some
technique
not visible in the outgoing mail to ensure that the contributions are
from
list members (perhaps a password that's stripped out.) Of course the
list
puts a shiny new DKIM signature on all its mail. The list is triple
opt-in with a cherry on top, and the subscribers await each list
message
all agog. Filter that.
Well, if one or more of your subscribers was at a domain that checks to
see if mail purporting to be from it actually came from one of it's
servers AND that domain was one of the spoofed emails ..... why yesiree
Bob, it would get filtered... but not on the basis of DKIM. I just love
hypothetical scenarios.....
If a DKIM signed message from the Moon to Jupiter is transported using
DTN.......
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html