ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] the usual misunderstanding about what DKIM promises

2010-10-25 05:28:07
from [Ian Eiloart] [Permanent Link] 


--On 22 October 2010 22:13:13 -0400 Hector Santos <hsantos(_at_)isdg(_dot_)net> 
wrote:


John Levine wrote:

DKIM makes no statement about the validity of a "sender" address.
d/

I guess I should have said Author address.


DKIM makes no statement about the validity of an Author address.


I keep reading this but there is no technical merit to show there is
any truth to it, and in fact the only thing that is probably the
strongest validity is the Author Address.


Actually, it depends on what one means by "validity". If one simply means 
that the author address hasn't been modified since the message was signed, 
then DKIM does speak to the validity.

If one means that the author address was used with the permission of the 
owner of the address, then a DKIM signature helps only if you know 
something about the signer. The likelihood of the author address being used 
with permission of the author will increase if signers make efforts to 
forbid domain spoofing. However, there's always the possibility that an 
account has been compromised, for example by a phisher.


No matter how many times it is stated and repeated, it will never be
true. If one wants this to be true, then remove the required binding
the Author Address, A.K.A 5322.From.

I will go on to suggest that this ongoing design confusion of trying
to water it down with unrestricted resigners is what got this WG all
bogged down in trying to teach the world that the From really means
nothing but only the signer does.  It even reduces the incentive for
adopters to invest in Domain DKIM Signing because they really have no
power over controlling who can take control of their own messages or
those that purports to be from them.  They have really little payoff.

My point is it really hasn't help DKIM to continue to water down the
validity of the author address.  If it wasn't a required binding, then
there begins some truth to the statement.




-- 
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Focusing on 4871bis, Ian Eiloart
Next by Date:  Re: [ietf-dkim] Statistics about DKIM and MIME, Rolf E. Sonneveld
Previous by Thread:  Re: [ietf-dkim] the usual misunderstanding about what DKIM promises, Douglas Otis
Next by Thread:  Re: [ietf-dkim] How MUAs render mail, Douglas Otis
Indexes:  [Date] [Thread] [Top] [All Lists]