Franck Martin wrote:
Silly question (?):
Knowing that many mailing lists add [topic] at the beginning of the Subject
line,
what if DKIM was set to ignore that part when signing/verifying?
Would it help to solve the problem of broken signature thru mailing lists?
I realize the issue would be to also detect the add footer, but if I recall
you can specify in dkim to sign only a certain length of the body and not
the whole body.
So are you proposing changes or a BCP for DKIM signing and verification?
DKIM Signer Tips:
- When signing messages targeted for a mailing list, you MAY
consider using the l= tag to increase the survival
rate of the message list distribution when a list
footer as the only change to the body integrity.
SECURITY NOTE: Please keep in mind there are replay
exploits potentials with l= body length usage.
DKIM Verifier Tips:
- If a signature fails to validate, you MAY consider retesting
to see if the failure was related to a subject line modified
with [LIST-NAME] tag. Strip the tag and retest. You might
also check if the z= tag is available with the original Subject:
header value
But what about the other passive MLS-based mail tampering abeit
industry-acceptable change options possible such stripping
attachments, stripping HTML mime parts?
For our MLS software DKIM integration, I followed the expired DSAP
proposed recommendations to first make sure there are no POLICY based
restrictions and to exclude list membership for these domains. An
example can be seen at this subscription page showing the ADSP
Restriction warning:
http://www.winserver.com/public/code/html-subscribe?list=list-dkim
Try subscribing with any ADSP restricted domain email address, such as
my test CatInTheBox.Net domain which has a DNS ADSP TXT record
DKIM=DISCARDABLE and you will see a subscription deny response.
But once the member is allowed, we are doing the basic list submission
mechanics of:
- Verify original signature(s),
- Add verification results with A-R header(s),
- Modify/prepare message based on list option, which include
- Strip original signature(s),
- Resign with signer domain defined for the list,
- Perform Distribution, there is no expectation of
DKIM-related failure related to ADSP policies or
related to broken original signatures.
One of the outcomes this was the suggestion of a new list option that
basically offers an option such as:
[_] Keep Original Mail Integrity
I like the idea because it is really a DKIM independent concept to
offer list distribution features that are not alter list mail in any
way. But in a new DKIM aware mail environment, this "no mail
tampering" list option can apply very well for a list with resigning
or no resigning scenarios where retaining original mail signature(s)
are desired. The only change when resigning is the creation of a new
signature which technically should not fail a DKIM verifier.
The main point I would like to stress is that we really need to begin
to make DKIM something that is WORTH processing with well established
conditions for GOOD and BAD mail filtering and reduced all the
constant fuzzy mail designs that only continue to produce
indeterminate results. All that means is that if a domain is really
seriously concern about its DKIM signed mail survivability and
minimize all failures then the domain should avoid submitting these
domain messages to "Meat Grinders" such as a MLS well known to operate
with industry-accepted mail tampering features.
Higher survivability can only begin to occur as the MLS software are
made DKIM aware. I suggest there will continue exist older legacy
software and most likely for many years. But new or old, you will
always need to be aware of the list operating behavior and what it
does for DKIM directly or indirectly.
In all cases, you are just putting your domain, brand and reputation
at risk if you sign your mail with an expectation they will have a
high survivability rate. IMV, the reason there is seems to be a
continue aura of unsureness for DKIM is because we still have many
failure conditions the DKIM Signer Domain Assessment model can not
address. It doesn't even address the NO SIGNATURE scenario. So we
left with limited DKIM utility where the only message to consider is
one DKIM signed by a trusted source. Anything else has an
indeterminate status. All that means is I don't think it helps domain
if it is going to go against this GOOD MAIL only idea by submitting
signed mail to a list expecting it to survive when there is no current
way to know what that list is going to do and the odds are very high
it will break your original integrity. At best, is for the author
domain to be aware that list signer domain will take responsible for
your copyrighted message by resigning it.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html