-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Rolf E.
Sonneveld
Sent: Monday, May 02, 2011 1:14 PM
To: dcrocker(_at_)bbiw(_dot_)net
Cc: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] Output summary - proposing ODID "Originating Domain
Identity"
In other words, DKIM has nothing to do with the rfc5321.From field, and
therefore it is entirely inappropriate -- that is, out of scope -- for the
specification to suggest dealing with it.
You mean 5322.From?
Yes, I think that's what he meant.
And how should we read par. 3.2.2 of RFC4686 if it is out of scope for
DKIM to deal with it?
Bad acts related to email-based fraud often, but not always, involve
the transmission of messages using specific origin addresses of other
entities as part of the fraud scheme. The use of a specific address
of origin sometimes contributes to the success of the fraud by
helping convince the recipient that the message was actually sent by
the alleged author.
To the extent that the success of the fraud depends on or is enhanced
by the use of a specific origin address, the bad actor may have
significant financial motivation and resources to circumvent any
measures taken to protect specific addresses from unauthorized use.
When signatures are verified by or for the recipient, DKIM _is
effective in defending against the fraudulent use of origin addresses_
on signed messages.
Although 5322.From is not mentioned here, how can DKIM provide any level
of defense against fraudulent use of origin addresses, if d= is the one
and only mandatory output of the verification process?
Why does the output of DKIM need to include something when the consumer of that
output already has that information?
Or should we declare this paragraph obsolete?
It could stand some revision, I suspect.
Nevertheless, the overall threat model doesn't require that DKIM itself, i.e.
the protocol being defined, also be the thing that evaluates origin addresses
for validity or value. It's certainly legitimate to leave that to other
modules, just like SMTP isn't required to do any evaluation work of the payload
it carries. But DKIM is a key component to that overall system.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html