ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Output summary - proposing ODID "Originating Domain Identity"

2011-05-03 18:27:41
from [Murray S. Kucherawy] [Permanent Link] 
-----Original Message-----
From: Rolf E. Sonneveld 
[mailto:R(_dot_)E(_dot_)Sonneveld(_at_)sonnection(_dot_)nl]
Sent: Tuesday, May 03, 2011 3:56 PM
To: Murray S. Kucherawy
Cc: IETF DKIM WG
Subject: Re: [ietf-dkim] Output summary - proposing ODID "Originating Domain 
Identity"


Why does the output of DKIM need to include something when the
consumer of that output already has that information?


Because a consumer should/must not have to re-do the work of the DKIM
verifier. Or put it differently: a consumer is just consuming the output
of the DKIM verification process, it will rely on it (provided there's a
trust relation between consumer and verifier), and it normally will not
re-do the work of the DKIM verifier. It has no knowledge of DKIM rules
(bottom up etc.). Just like a MUA has no information about how two MTA's
exchange a mail over SMTP.


The assertion you're making is that the consumer of an API shouldn't need to 
maintain any context; the API will give you back all the bits of context you 
need to continue as well as the answer you need.

If you feed N bytes of data to a hash function, what you get back is the 
resulting hash, not the hash and the source data or maybe the hash and N.  All 
of the context is still in the API consumer, not in the function that's giving 
you what you want.

If you give RSA_Verify() a signature, a public key and a hash, it gives you 
back a 1 if they match and a 0 otherwise, not 1/0 and then some of that same 
information you gave it.  The caller is the part of the system that knows what 
the answer is telling you, because it understands the nature of the function it 
called.

So it is with DKIM: If you get back an indication from a verifier function that 
a signature verified, then the signature covered the lowest From: field that 
you presented to it.  You know that because that's how the interface you're 
using was defined.

An implementation certainly could give you back that From: field's contents 
(and OpenDKIM does, if you ask for it), but still I don't see any reason to 
make it mandatory.

I might even go so far as to say returning that From: field is dangerous since 
it is not confirmed by anything, so DKIM (which is an authentication protocol) 
returning data that can't be validated, even if it was signed, is quite 
possibly asking for trouble.


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Output summary - proposing ODID "Originating Domain Identity", Rolf E. Sonneveld
Next by Date:  Re: [ietf-dkim] Output summary - proposing ODID "Originating Domain Identity", Douglas Otis
Previous by Thread:  Re: [ietf-dkim] Output summary - proposing ODID "Originating Domain Identity", Rolf E. Sonneveld
Next by Thread:  Re: [ietf-dkim] Output summary - proposing ODID "Originating Domain Identity", Douglas Otis
Indexes:  [Date] [Thread] [Top] [All Lists]