Hi Murray, Thanks for your quick response.
To give some background to the folks on the list: I'm developing an application that can wrap an LDA to provide DKIM verification. The purpose of this is to catch the edge case where e-mail is sent to an account on the same server. Currently, the MTA will invoke dkim-milter in signing mode and sign the e-mail and the LDA will deliver it locally. Since the e-mail doesn't pass back through the MTA, there's no way to use dkim-milter in verify mode to verify these e-mails. I believe my application may be useful for mailing list applications as well (e.g. majordomo, etc.). My intention is to follow the verification code in dkim-filter.c as a model. I guess I will want to follow this code very closely to provide the same level of verification that dkim-filter does. In particular, the function dkimf_authorsigok() implements a checking algorithm that I'll definitely need for the "dkim-asp=" part of the header. Let me know if I'm on the right track here. Does it make sense to abstract the verification/header generation process a bit? Maybe applications like mine aren't common enough, but it might be nice if some code could be shared since this code could theoretically be shared between dkim-filter and my application. Another question I have is regarding the MUA. Do you know if MUAs in the future will interpret the Authentication-Results headers and give the user a pass/fail indication? I was thinking that it might be nice if this information could be taken into account by MUAs that provide junk mail filtering (such as Thunderbird). I know that DKIM is fairly new (and possibly not widely deployed -- yet), but it seems that MUA support for the headers would help users see a value for DKIM (and, for that matter, SPF). Thanks again. Regards, Erik. On Tue, 29 Jul 2008, Murray S. Kucherawy wrote: > Erik Lotspeich wrote: >> I am wondering about dkim_getsiglist(). Can a message contain multiple >> valid signatures? How does this function differ from dkim_getsignature()? >> When should I use each one? >> > It depends on how much control you want over signature processing. > > dkim_getsignature() is used late in the process (i.e.after > end-of-message) to return the first signature that validated or, if none > did, the first syntactically valid signature. This is useful for an > application with very simple policies. > > dkim_getsiglist() returns all signatures that were minimally > syntactically valid, and this information is available much earlier in > message processing (i.e. at end-of-headers). You can use the signature > array you get back to inspect each one and mark specific ones to be > ignored by the library. You can request the signature list late in the > process too if you want to inspect all valid signatures to see which > one(s) you want to report. > > Yes, a message can contain multiple valid signatures, if for example two > different agents (maybe the sender and his/her ISP) signed it. This is > why dkim_getsiglist() was added to the API. >> I also have a question about dkim_sig_getbh(). The comments refer to a >> "bh" test state. What is the "bh" test state? >> >> > The "bh" tag on a signature is a cryptographic hash of the message > body. The "bh" flag inside a signature handle is an indication of > whether or not the body hash in the DKIM signature matched the message > body the library was given. > > This is an important step of DKIM verification. The actual cryptography > in a DKIM signature only covers the headers and the signature itself > (which in turn includes the body hash), meaning signature validation > only proves the headers and signature were unchanged in transit. You > have to take the extra step of checking that the body hash in the > signature also matched the body you got, otherwise someone could send an > altered body and you'd still approve it. > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > dkim-milter-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss > ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
