[Asrg] DKIM role?

Franck Martin franck at avonsys.com
Fri Jan 9 12:59:56 PST 2009 

http://www.dkim.org/specs/rfc4871-dkimbase.html
4.1 Example Scenarios

There are many reasons why a message might have multiple signatures. For example, a given signer might sign multiple times, perhaps with different hashing or signing algorithms during a transition phase.


5.1 Determine Whether the Email Should Be Signed and by Whom

A signer can obviously only sign email for domains for which it has a private key and the necessary knowledge of the corresponding public key and selector information. 


----------------
But more important:
----------------
i=
    Identity of the user or agent (e.g., a mailing list manager) on behalf of which this message is signed (dkim-quoted-printable; OPTIONAL, default is an empty Local-part followed by an "@" followed by the domain from the "d=" tag). The syntax is a standard email address where the Local-part MAY be omitted. The domain part of the address MUST be the same as or a subdomain of the value of the "d=" tag.

INFORMATIVE DISCUSSION: This document does not require the value of the "i=" tag to match the identity in any message header fields. This is considered to be a verifier policy issue. Constraints between the value of the "i=" tag and other identities in other header fields seek to apply basic authentication into the semantics of trust associated with a role such as content author. Trust is a broad and complex topic and trust mechanisms are subject to highly creative attacks. The real-world efficacy of any but the most basic bindings between the "i=" value and other identities is not well established, nor is its vulnerability to subversion by an attacker. Hence reliance on the use of these options should be strictly limited. In particular, it is not at all clear to what extent a typical end-user recipient can rely on any assurances that might be made by successful use of the "i=" options.
----------------

So i= and d= can be from a totally different domain than the email is sent from. As long as the MTA has the private key and can use it to sign.


----- Original Message -----
From: "Jeff Macdonald" <jmacdonald at e-dialog.com>
To: "Anti-Spam Research Group - IRTF" <asrg at irtf.org>
Sent: Saturday, 10 January, 2009 2:59:07 AM (GMT+1200) Auto-Detected
Subject: Re: [Asrg] DKIM role?

On Sat, Jan 10, 2009 at 01:54:14AM +1200, Franck Martin wrote:

>The beauty of DKIM is that the a federation of University could
>provide a DKIM signature for all UK education centers. Ensuring you
>are dealing with properly registered education centers.

What would such a DKIM signature look like?


-- 
Jeff Macdonald
jmacdonald at e-dialog.com

_______________________________________________
Asrg mailing list
Asrg at irtf.org
http://www.irtf.org/mailman/listinfo/asrg

More information about the Asrg mailing list