On Thu, 28 Apr 2011 20:00:33 +0100, Rolf E. Sonneveld
<R(_dot_)E(_dot_)Sonneveld(_at_)sonnection(_dot_)nl> wrote:
On 4/28/11 7:38 PM, Murray S. Kucherawy wrote:
Thus it is with DKIM. DKIM sits on top of RFC5322 and related message
format specs, which in turn sit on top of SMTP, which sits on top of
TCP, which sits on top of IP, which sits on top of Wi-Fi or Ethernet,
etc. DKIM delivers the "d=" and other stuff to the next layer up. It
doesn't know or care what that "d=" is other than its use to complete
the key retrieval step. The next layer up, i.e. what sits on top of
DKIM, is the one that is free to compare "d=" to From: or whatever else
it wants to do. That's not DKIM, that's ADSP or domain reputation or
whatever other application we want to come up with that makes use of
the output of DKIM.
Right. I strongly believe in the layered approach. However, that's
exactly the problem here. Like with IP and SMTP and any layered
application, the upper layer is dependent on what the lower layer
provides it with. If DKIM only enforces:
d= and
verification status
to be output, then the layered applications you describe (ADSP, domain
reputation, whatever) doesn't (always) have the means to do their job.
Indeed so. The task of DKIM is to express a *reliable* opinion on the
validity of a signature. All it can say is "PASS" or "FAIL" (actually
PERMFAIL or TEMPFAIL) and quote the 'd=' and 'h=' tags which it is
affirming. No Ifs or Buts.
BUT the higher layers include not ony the assessor (which will surely be
DKIM-aware) but all the subsequent agents through which it may pass
(notably the recipient's MUA) which are likely less DKIM-aware; but all of
them need to *rely* in some way on the verifier's assessment.
Therefore, it there is any possibility that subsequent agents will
misinterpret the assurance given or implied to them, then it is much
better for the verifier to report "FAIL" which, to agents beyond the
assessor, indicates that no *reliable* signature was seen.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html