1: Of course DKIM can be used to validate the authenticity of the email such as it has been sent from the specified domain.
2: Validation response messages should NOT be forwarded! Normally, you would send a response message like from [email protected] to [email protected] Of course, if ca.example.org is in full control of all email servers, they can easily do the validation at the leaf server ca.example.org, and then forward the email message to a internal server for SMIME issuance, for example by adding a encrypted and signed header with the validation, or communicating out-of-band - for example with a MySQL server, that the message X is propely SPF and DKIM validated. The type of forwarding SPF don't work with, would be if [email protected] was forwarded to lets say [email protected] then if I send a validation reponse to [email protected] from [email protected] , validation would fail @ GMAIL when they receive the message from ca.example.org which is a server not on my authorization list. And a CA running an email server that forwards to an server they are not in full control of, is a HUGE security risk for SMIME issuance - unless they have proper agreements in place - for example a subCA that forwards their validations to the main CA, but still want a "branded" email adress for their ACME validations - but then their agreements could easily include that the subCA should do the validations at the leaf server, and then add information to the email that allows the main CA to see that SPF and DKIM was propely validated. Or include the client IP in the message, signed securely, so the main CA can validate SPF. -----Ursprungligt meddelande----- Från: [email protected] <[email protected]> För S Moonesamy Skickat: den 25 juni 2020 21:59 Till: Alexey Melnikov <[email protected]> Kopia: [email protected]; [email protected]; [email protected]; [email protected] Ämne: Re: [Acme] Last Call: <draft-ietf-acme-email-smime-08.txt> (Extensions to Automatic Certificate Mana Hi Alexey, At 11:57 AM 25-06-2020, The IESG wrote: >The IESG has received a request from the Automated Certificate >Management Environment WG (acme) to consider the following document: - >'Extensions to Automatic Certificate Management Environment for end > user S/MIME certificates' > <draft-ietf-acme-email-smime-08.txt> as Proposed Standard > >The IESG plans to make a decision in the next few weeks, and solicits >final comments on this action. Please send substantive comments to the In Section 3.1, there is the following in Point 3 and 5: "The message MAY contain Reply-To header field." Is the duplication a mistake? Point 6 states that its purpose is to "prove authenticity of a challenge message". How does DKIM prove authenticity [1]? Why is there a requirement that the message has to pass DMARC validation? Has forwarding been taken into account [2]? Regards, S. Moonesamy 1. Please see Section 5.4 of RFC 6376. 2. That does not work well with SPF. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
