[Asrg] where the message originated (was: DKIM role?) (SM)
Dotzero
dotzero at gmail.com
Tue Jan 20 06:02:31 PST 2009
On Tue, Jan 20, 2009 at 8:44 AM, Ian Eiloart <iane at sussex.ac.uk> wrote:
>
>
> --On 19 January 2009 13:37:50 -0500 Dotzero <dotzero at gmail.com> wrote:
>
>>
>>> Yes, I know. Presumably your bank doesn't email you through this list or
>>> any other, though. What I'm after here is avoiding bank phishing. When
>>> communicating with my bank, I want them emailing me directly, to my
>>> current email address.
>>>
>>> I'd be just as happy if they used DKIM to sign the message. I'd still
>>> need my mail client to tell me that it was signed properly, though. And,
>>> signed by the owner of the address that I can see in the message headers.
>>>
>>
>> How happy will you be when your ISP checked the DKIM signature
>> upstream from your mail client, added in x-headers showing the check
>> (and possibly other things) and broke the signature?
>
> That would make me unhappy. Presumably they're not supposed to do that, but
> doesn't DKIM allow the signer to say what they're signing? And, doesn't that
> survive addition of new headers? If my ESP (of course I don't use my ISP for
> email) broke a DKIM signature, I'd expect them to replace the signature with
> a good one. But, I'd prefer that they simply delivered the message unbroken.
>
> Of course, all of this works better when it's correctly implemented.
>
Why aren't they supposed to do that? How many MUAs are checking DKIM
signatures at the moment? I can think of a numbe rof ISPs that are
adding headers to indicate various checks. From a DKIM perspective,
the less you sign the greater the risk. Don't do the body length (full
length that is)? Evil bad person can engate in replay attacks with
content of their choice.
This is not only about what you prefer personally. This is about what
works generally. You work for a University. What percentage of your
endusers are checking DKIM? I'm going to take a wild leap and assert
that it approximates zero if it isn't actually zero.
As far as I know, DKIM checking is happening at the MTA or in
association with the MTA (Seperate host behind the front line MTA or
something similar). It isn't happening at the user level. And that
makes sense, at least to me. Maybe in some distant future MUAs will do
DKIM checking but I wouldn't hold my breath.
More information about the Asrg
mailing list