Re: [dkim-milter-discuss] SSP and subdomains (was Re: DKIM signature verification fails on subdomains)

Mon, 14 Jan 2008 15:39:18 -0800 

On Mon, 14 Jan 2008, Murray S. Kucherawy wrote:
> It seems to me that this change within dkim_policy() causes it to 
> deviate from the most recent published draft for SSP, which does not 
> take into account the "t" flag on the key itself.  The extent of "t=s" 
> in the key record in particular is to consider the signature invalid if 
> the message signed for a subdomain when the published key record 
> explicitly prohibits such.  This is part of RFC4871 and thus that 
> decision process is complete before dkim_policy() is ever called. 
> dkim_policy() is meant only to implement SSP, so making this change 
> inside dkim_policy() isn't quite the right place to do it as the libdkim 
> API is currently designed.

To be more precise, step 1 of the SSP algorithm says:

    1.   If a valid Originator Signature exists, the message is not
         Suspicious, and the algorithm terminates.

If your message is signed for a subdomain, thus:

        DKIM-Signature: ...; [EMAIL PROTECTED]; d=example.com; ...
        From: [EMAIL PROTECTED]

...and the key claims "t=s", then this signature will not verify according 
to RFC4871.  It's thus not a valid Originator Signature as defined in SSP 
and can't be considered to satisfy (1) in the SSP algorithm.

That's not to say there's not a bug in the logic you've addressed in 
dkim_policy(), but I'm not convinced yet that this is the right solution. 
For example, sig_domain is populated from "d=" or dkim_domain which may 
not be the correct thing when subdomain verifying is being done. 
dkim_domain is typically populated from sender headers.  We should be 
comparing "i=" (even if we're talking about its implicit default value) to 
the sender address.

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
dkim-milter-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Reply via email to