[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] DKIM role?

To: Anti-Spam Research Group - IRTF <asrg at irtf.org>
Subject: Re: [Asrg] DKIM role?
From: Franck Martin <franck at avonsys.com>
Date: Sat, 10 Jan 2009 08:59:56 +1200 (FJT)
Delivered-to: ietfarch-asrg-archive at core3.amsl.com
Delivered-to: asrg at core3.amsl.com
In-reply-to: <4631314.541231534591697.JavaMail.franck at franck-martins-macbook-pro.local>
List-archive: <http://www.irtf.org/pipermail/asrg>
List-help: <mailto:asrg-request@irtf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-post: <mailto:asrg@irtf.org>
List-subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
List-unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
Reply-to: Anti-Spam Research Group - IRTF <asrg at irtf.org>
Sender: asrg-bounces at irtf.org

http://www.dkim.org/specs/rfc4871-dkimbase.html
4.1 Example Scenarios

There are many reasons why a message might have multiple signatures. For example, a given signer might sign multiple times, perhaps with different hashing or signing algorithms during a transition phase.


5.1 Determine Whether the Email Should Be Signed and by Whom

A signer can obviously only sign email for domains for which it has a private key and the necessary knowledge of the corresponding public key and selector information. 


----------------
But more important:
----------------
i=
    Identity of the user or agent (e.g., a mailing list manager) on behalf of which this message is signed (dkim-quoted-printable; OPTIONAL, default is an empty Local-part followed by an "@" followed by the domain from the "d=" tag). The syntax is a standard email address where the Local-part MAY be omitted. The domain part of the address MUST be the same as or a subdomain of the value of the "d=" tag.

INFORMATIVE DISCUSSION: This document does not require the value of the "i=" tag to match the identity in any message header fields. This is considered to be a verifier policy issue. Constraints between the From asrg-bounces at irtf.org  Fri Jan  9 13:00:18 2009
Return-Path: <asrg-bounces at irtf.org>
X-Original-To: asrg-web-archive at optimus.ietf.org
Delivered-To: ietfarch-asrg-web-archive at core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 28B9F3A6403;
	Fri,  9 Jan 2009 13:00:18 -0800 (PST)
X-Original-To: asrg at core3.amsl.com
Delivered-To: asrg at core3.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 7BDAC3A6403
	for <asrg at core3.amsl.com>; Fri,  9 Jan 2009 13:00:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, 
	BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32])
	by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id TLqBJ747ZHgp for <asrg at core3.amsl.com>;
	Fri,  9 Jan 2009 13:00:10 -0800 (PST)
Received: from seine.avonsys.com (seine.avonsys.com [202.170.42.206])
	by core3.amsl.com (Postfix) with ESMTP id D7C6F3A63D2
	for <asrg at irtf.org>; Fri,  9 Jan 2009 13:00:07 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
	by seine.avonsys.com (Postfix) with ESMTP id 0408564F8384
	for <asrg at irtf.org>; Sat, 10 Jan 2009 09:00:01 +1200 (FJT)
X-Virus-Scanned: amavisd-new at avonsys.com
Received: from seine.avonsys.com ([127.0.0.1])
	by localhost (seine.avonsys.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id skzbObywJLML for <asrg at irtf.org>;
	Sat, 10 Jan 2009 08:59:56 +1200 (FJT)
Received: from seine.avonsys.com (localhost [127.0.0.1])
	by seine.avonsys.com (Postfix) with ESMTP id BA3E864F8383
	for <asrg at irtf.org>; Sat, 10 Jan 2009 08:59:56 +1200 (FJT)
Date: Sat, 10 Jan 2009 08:59:56 +1200 (FJT)
From: Franck Martin <franck at avonsys.com>
To: Anti-Spam Research Group - IRTF <asrg at irtf.org>
Message-ID: <6590037.561231534772628.JavaMail.franck at franck-martins-macbook-pro.local>
In-Reply-To: <4631314.541231534591697.JavaMail.franck at franck-martins-macbook-pro.local>
MIME-Version: 1.0
X-Originating-IP: [113.20.66.143]
X-Mailer: Zimbra 5.0.11_GA_2695.UBUNTU6 (Yahoo! Zimbra Desktop/0.92_1433_Mac)
Subject: Re: [Asrg] DKIM role?
X-BeenThere: asrg at irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg at irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>,
	<mailto:asrg-request at irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/pipermail/asrg>
List-Post: <mailto:asrg at irtf.org>
List-Help: <mailto:asrg-request at irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>,
	<mailto:asrg-request at irtf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: asrg-bounces at irtf.org
Errors-To: asrg-bounces at irtf.org

http://www.dkim.org/specs/rfc4871-dkimbase.html
4.1 Example Scenarios

There are many reasons why a message might have multiple signatures. For example, a given signer might sign multiple times, perhaps with different hashing or signing algorithms during a transition phase.


5.1 Determine Whether the Email Should Be Signed and by Whom

A signer can obviously only sign email for domains for which it has a private key and the necessary knowledge of the corresponding public key and selector information. 


----------------
But more important:
----------------
i=
    Identity of the user or agent (e.g., a mailing list manager) on behalf of which this message is signed (dkim-quoted-printable; OPTIONAL, default is an empty Local-part followed by an "@" followed by the domain from the "d=" tag). The syntax is a standard email address where the Local-part MAY be omitted. The domain part of the address MUST be the same as or a subdomain of the value of the "d=" tag.

INFORMATIVE DISCUSSION: This document does not require the value of the "i=" tag to match the identity in any message header fields. This is considered to be a verifier policy issue. Constraints betwvalue of the "i=" tag and other identities in other header fields seek to apply basic authentication into the semantics of trust associated with a role such as content author. Trust is a broad and complex topic and trust mechanisms are subject to highly creative attacks. The real-world efficacy of any but the most basic bindings between the "i=" value and other identities is not well established, nor is its vulnerability to subversion by an attacker. Hence reliance on the use of these options should be strictly limited. In particular, it is not at all clear to what extent a typical end-user recipient can rely on any assurances that might be made by successful use of the "i=" options.
----------------

So i= and d= can be from a totally different domain than the email is sent from. As long as the MTA has the private key and can use it to sign.


----- Original Message -----
From: "Jeff Macdonald" <jmacdonald at e-dialog.com>
To: "Anti-Spam Research Group - IRTF" <asrg at irtf.org>
Sent: Saturday, 10 January, 2009 2:59:07 AM (GMT+1200) Auto-Detected
Subject: Re: [Asrg] DKIM role?

On Sat, Jan 10, 2009 at 01:54:14AM +1200, Franck Martin wrote:

>The beauty of DKIM is that the a federation of University could
>provide a DKIM signature for all UK education centers. Ensuring you
>are dealing with properly registered education centers.

What would such a DKIM signature look like?


-- 
Jeff Macdonald
jmacdonald at e-dialog.com

_______________________________________________
Asrg mailing list
Asrg at irtf.org
http://www.irtf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg at irtf.org
http://www.irtf.org/mailman/listinfo/asrg


een the value of the "i=" tag and other identities in other header fields seek to apply basic authentication into the semantics of trust associated with a role such as content author. Trust is a broad and complex topic and trust mechanisms are subject to highly creative attacks. The real-world efficacy of any but the most basic bindings between the "i=" value and other identities is not well established, nor is its vulnerability to subversion by an attacker. Hence reliance on the use of these options should be strictly limited. In particular, it is not at all clear to what extent a typical end-user recipient can rely on any assurances that might be made by successful use of the "i=" options.
----------------

So i= and d= can be from a totally different domain than the email is sent from. As long as the MTA has the private key and can use it to sign.


----- Original Message -----
From: "Jeff Macdonald" <jmacdonald at e-dialog.com>
To: "Anti-Spam Research Group - IRTF" <asrg at irtf.org>
Sent: Saturday, 10 January, 2009 2:59:07 AM (GMT+1200) Auto-Detected
Subject: Re: [Asrg] DKIM role?

On Sat, Jan 10, 2009 at 01:54:14AM +1200, Franck Martin wrote:

>The beauty of DKIM is that the a federation of University could
>provide a DKIM signature for all UK education centers. Ensuring you
>are dealing with properly registered education centers.

What would such a DKIM signature look like?


-- 
Jeff Macdonald
jmacdonald at e-dialog.com

_______________________________________________
Asrg mailing list
Asrg at irtf.org
http://www.irtf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg at irtf.org
http://www.irtf.org/mailman/listinfo/asrg

Prev by Date: Re: [Asrg] where the message originated (was: DKIM role?)
Next by Date: [no subject]
Previous by thread: Re: [Asrg] DKIM role?
Next by thread: [Asrg] [Fwd: Re: The state of the email system]
Index(es):
- Date
- Thread