[Asrg] where the message originated

Franck Martin franck at avonsys.com
Mon Jan 12 12:03:39 PST 2009 

I have run a series of tests, where I sign a message (sent by me) but with only the Return-path containing my domain (DKIM does not sign the return-path as recommended in the spec).

I used the DKIM reflectors on www.dkim.org

and the assessment I got was: neutral (none of the signed field contain the domain of the signer).

like if it is wrong.

I think it should be a pass. I fear that many people that verify DKIM make the same mistake.

I'm thinking of adding an X-header that will contain my domain and sign it via DKIM and see if the reflectors are happier.

----- Original Message -----
From: "Dave CROCKER" <dhc at dcrocker.net>
To: "Anti-Spam Research Group - IRTF" <asrg at irtf.org>
Sent: Tuesday, 13 January, 2009 4:27:20 AM (GMT+1200) Auto-Detected
Subject: Re: [Asrg] where the message originated



Steve Atkins wrote:
> On Jan 12, 2009, at 4:44 AM, Alessandro Vesely wrote:
>> Hm.. I'm not much into DKIM. It technically allows to sign false 
>> identities, but doesn't (or shouldn't) it semantically imply that the 
>> signers must have some (possibly small but still positive) degree of 
>> trust that what they sign is correct?
> 
> No. The signature only means that the message you received was the one 
> signed by the signing identity.


Not quite right.  Or rather, not quite complete.  And I'm compelled to pick this 
nit, since it is fundamental to discussion about DKIM's purpose.

What you've described is a data integrity function.  Yes, DKIM performs that on 
the portions of the message it lists in the DKIM-Signature: header field. 
However, data integrity is a side-effect of DKIM and not it's actual purpose.(*)

It's purpose is:  "DKIM allows an organization to take responsibility for 
transmitting a message, in a way that can be validated by a recipient. "

So the requirement on the signer is to choose naming granularity and use that 
will provide the recipient with a stable label of a message stream.

The receiver is supposed to take the identifier being proffered by the signer 
and run it through an assessment process.

Presumably, a fake or transient or new identifier is likely to get far less 
trust than one with a track-record.  As noted, the intended benefit of DKIM is 
across a message stream, with the identifier being used to label that stream 
consistently.

d/

(*)  In fact, one can argue that DKIM doesn't perform data integrity all that 
well, to which the response is that that's ok, it does it well enough for 
validating the use of the identifier.

-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net
_______________________________________________
Asrg mailing list
Asrg at irtf.org
http://www.irtf.org/mailman/listinfo/asrg

More information about the Asrg mailing list