ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] the usual misunderstanding about what DKIM promises

2010-10-23 14:28:10
On Fri, Oct 22, 2010 at 10:13 PM, Hector Santos <hsantos(_at_)isdg(_dot_)net> 
wrote:
John Levine wrote:
DKIM makes no statement about the validity of a "sender" address.
d/
I guess I should have said Author address.

DKIM makes no statement about the validity of an Author address.

I keep reading this but there is no technical merit to show there is
any truth to it, and in fact the only thing that is probably the
strongest validity is the Author Address.

No matter how many times it is stated and repeated, it will never be
true. If one wants this to be true, then remove the required binding
the Author Address, A.K.A 5322.From.

No, not at all.  While I think it was probably a mistake to make the
signing of ANY header fields "MUST" (we should have just put "From" in
with the other "SHOULD" fields), the fact that "From" MUST be signed
says, in itself, nothing about the *validity* of the address (nor the
display name) in that field.  That's up to the signer.

It's all a question of what the signer is willing to sign.  I have two
submission domains that I use.  One, gmail.com, which does DKIM
signing, will only allow me to use a "From" address after it has sent
a test message to that address and seen that I can access the test
message.  So it's made *some* level of confirmation that I owned the
address at the time I set it up.  But there's no confirmation that I
still own the address, and there's certainly no assessment of the
display name that I associate with it.  Gmail will sign mail that I
send with my old IBM addresses in the "From", though I have not worked
for IBM for over a year and a half, and no longer have any
authorization from IBM to use those addresses.

Is that "valid"?

The other submission domain I sometimes use, which does not currently
DKIM-sign, will let me put anything at all that I like in the "From"
field, including, say, "president(_at_)whitehouse(_dot_)gov".  It doesn't check,
and it doesn't care, as long as I'm connected to their network when I
send the message.  They could start signing with DKIM tomorrow.  If
they did, would you then say that the "From" address in those messages
is "valid"?  I wouldn't.  You might say, "Well, they shouldn't oughta
do that."  Maybe wise people would advise them not to.  But maybe
they're not wise.  DKIM doesn't weigh in on that.

The fact is that probably 99% of their users just use the proper
domain in their "From" fields, and it doesn't matter.  The fact, for
John Levine's domains, is that he knows and trusts his users, so he
lets them do what he wants.  Now, if his signing domain started
developing a bad reputation because some of his users were sending
mail as "whitehouse.gov" or whatever, he might change his policy.  As
might my service provider, if they started signing and saw their
domain's reputation go south.

But that's all outside the scope of DKIM.  DKIM only provides
assurance of the *signing* domain, and that the message has arrived
substantially unchanged from when it was signed (modulo h= and c=).

Barry, as participant
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>