|
Re: [spf-discuss] SPF, DKIM, and NIH
2009-10-07 06:28:20
--On 6 October 2009 20:49:44 -0700 Michael Deutschmann
<michael(_at_)talamasca(_dot_)ocis(_dot_)net> wrote:
On Tue, 6 Oct 2009, Scott Kitterman wrote:
On Tue, 6 Oct 2009 19:54:55 -0700 (PDT) Michael Deutschmann
<michael(_at_)talamasca(_dot_)ocis(_dot_)net> wrote:
...
> But, the reason DKIM-ADSP suffers mailing list FPs is not because of
> any deficiency in its cryptographic approach. It's only because it
> tries to guard the header from (From:), rather than the envelope
> sender (MAIL FROM:), that it has this problem. Meanwhile, its
> cryptographic approach does well at avoiding traditional-forwarder FPs.
> ...
This is exactly backwards. Body From is preserved by mailing lists.
And that's the problem. The list doesn't preserve the signature, but
preserves a purported identity that requires the unbroken signature.
Mailing lists are "friendly forgery" of the header From:, and break under
DKIM/ADSP.
Traditional forwarders are "friendly forgery" of the envelope FROM:, and
break under SPF.
This doesn't need a new protocol. When receiving messages, you should apply
SPF and DKIM tests, and apply reputation tests to the one that matches, if
either. What you're looking for is a token that you can reliably apply
reputation services to. An SPF fail simply means that you can't apply your
reputation service to the envelope-sender. It doesn't mean that the message
isn't good, so go ahead and see if it has a good DKIM signature.
With DKIM, if you know a message has been through a list, then it should be
re-signed. Check the new signature. If it matches, and you trust the list
sender, then check the reputation of the original poster. If you trust the
list, then you should assume that it's checking DKIM on the way in. If your
assumption is wrong, you shouldn't trust the list.
Neither would break under the hybrid protocol. It wouldn't care about
the friendly forgery of the mailing lists, and it would recognize most
traditional forwards as authentic because they are relayed verbatim.
---- Michael Deutschmann <michael(_at_)talamasca(_dot_)ocis(_dot_)net>
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: [spf-discuss] SPF, DKIM, and NIH, (continued)
- Re: [spf-discuss] SPF, DKIM, and NIH, Stuart D. Gathman
- Re: [spf-discuss] SPF, DKIM, and NIH, Scott Kitterman
- Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
- Re: [spf-discuss] SPF, DKIM, and NIH, David MacQuigg
- Re: [spf-discuss] SPF, DKIM, and NIH, Stuart D. Gathman
- Re: [spf-discuss] SPF, DKIM, and NIH, Alessandro Vesely
Re: [spf-discuss] SPF, DKIM, and NIH, Scott Kitterman
|
| Previous by Date: |
Re: [spf-discuss] SPF, DKIM, and NIH, Michael Deutschmann |
| Next by Date: |
Re: [spf-discuss] SPF, DKIM, and NIH, Michael Deutschmann |
| Previous by Thread: |
Re: [spf-discuss] SPF, DKIM, and NIH, Michael Deutschmann |
| Next by Thread: |
Re: [spf-discuss] SPF, DKIM, and NIH, Michael Deutschmann |
| Indexes: |
[Date]
[Thread]
[Top]
[All Lists] |
|
|