ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Output summary

2011-04-29 08:04:03
from [Charles Lindsey] [Permanent Link] 
On Thu, 28 Apr 2011 20:00:33 +0100, Rolf E. Sonneveld  
<R(_dot_)E(_dot_)Sonneveld(_at_)sonnection(_dot_)nl> wrote:


On 4/28/11 7:38 PM, Murray S. Kucherawy wrote:



Thus it is with DKIM.  DKIM sits on top of RFC5322 and related message  
format specs, which in turn sit on top of SMTP, which sits on top of  
TCP, which sits on top of IP, which sits on top of Wi-Fi or Ethernet,  
etc.  DKIM delivers the "d=" and other stuff to the next layer up.  It  
doesn't know or care what that "d=" is other than its use to complete  
the key retrieval step.  The next layer up, i.e. what sits on top of  
DKIM, is the one that is free to compare "d=" to From: or whatever else  
it wants to do.  That's not DKIM, that's ADSP or domain reputation or  
whatever other application we want to come up with that makes use of  
the output of DKIM.


Right. I strongly believe in the layered approach. However, that's
exactly the problem here. Like with IP and SMTP and any layered
application, the upper layer is dependent on what the lower layer
provides it with. If DKIM only enforces:

d= and
verification status

to be output, then the layered applications you describe (ADSP, domain
reputation, whatever) doesn't (always) have the means to do their job.


Indeed so. The task of DKIM is to express a *reliable* opinion on the  
validity of a signature. All it can say is "PASS" or "FAIL" (actually  
PERMFAIL or TEMPFAIL) and quote the 'd=' and 'h=' tags which it is  
affirming. No Ifs or Buts.

BUT the higher layers include not ony the assessor (which will surely be  
DKIM-aware) but all the subsequent agents through which it may pass  
(notably the recipient's MUA) which are likely less DKIM-aware; but all of  
them need to *rely* in some way on the verifier's assessment.

Therefore, it there is any possibility that subsequent agents will  
misinterpret the assurance given or implied to them, then it is much  
better for the verifier to report "FAIL" which, to agents beyond the  
assessor, indicates that no *reliable* signature was seen.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Output summary, Hector Santos
Next by Date:  Re: [ietf-dkim] Output summary, Charles Lindsey
Previous by Thread:  Re: [ietf-dkim] Output summary, Hector Santos
Next by Thread:  Re: [ietf-dkim] Output summary, Bill.Oxley
Indexes:  [Date] [Thread] [Top] [All Lists]