Earl Hood wrote:
On July 28, 2005 at 14:39, "Hector Santos" wrote:
Take for example with two signatures. Is this an example of a 3rd party
signing? What policy controls this?
Using your spoof example:
DKIM-Signature: a=rsa-sha1; s=whatever; d=ispoofyou.org;
c=simple; q=dns;
h=Received : From : To : Subject : Date : Message-ID;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ
VoG4ZHRNiYzR;
Received: from 10.2.3.4-example.com [10.2.3.4]
by submitserver.example.com with SUBMISSION;
Fri, 11 Jul 2003 21:01:54 -0700 (PDT)
From: Joe User <joe(_dot_)user(_at_)example(_dot_)com>
To: Suzie Q <suzie(_at_)shopping(_dot_)example(_dot_)net>
Subject: I need your help?
Date: Fri, 11 Jul 2003 21:00:37 -0700 (PDT)
Message-ID: <20030712040037(_dot_)46341(_dot_)5F8J(_at_)example(_dot_)com>
A SSP lookup for _policy._domainkey.example.com is done. If order for this
to pass, example.com must allow for a relaxed/neutral policy.
The above example I provided does not provide an i= tag, so it assumes,
according to the DKIM draft, that i= is equivalent to d=. The problem
occurs if the signer wants to set i= to the actual identity of the
entity they are signing for if the signer is acting as a third-party
agent. The DKIM states that i= must be a subdomain of d=, but this
seems restrictive for 3rd-party scenarios where the signer may be in
a different domain.
It's _supposed_ to be restrictive. That is, I don't want earlhood.com to
be able
to assert i=mtcc.com without my permission. The way I grant permission is to
create a selector for your signer's key in mtcc.com's zone and then you just
sign as d=mtcc.com even though it's coming from one of your signers.
Mike