On 4/27/10 10:34 AM, Murray S. Kucherawy wrote: >> -----Original Message----- >> From: Jeff Macdonald [mailto:[email protected]] >> Sent: Tuesday, April 27, 2010 10:05 AM >> To: McDowell, Brett >> Cc: Murray S. Kucherawy; [email protected] >> Subject: Re: [ietf-dkim] Wrong Discussion - was Why mailing lists >> should strip DKIM signatures >> >> >>> That's interesting. Let's make this concrete... I'll use myself as >>> >> an example. >> >>> X = me/PayPal.com >>> Y = this list/[email protected] >>> Z = Google's Gmail service [1] >>> >>> It is my assumption that someone subscribed to this list has a >>> >> gmail.com account (or a Yahoo.com account [2]). Therefore, my use case >> is simple. I would hope that those of you reading this from your Gmail >> or Yahoo! accounts actually receive this message. If Z breaks the >> signature, you won't see this. >> >> how about Y breaking the signature? I see your message only because I >> told gmail's filtering system to not put messages into the spam folder >> for this list. Otherwise it would of gone into the spam folder. >> Looking at the source of the message, I only see the list's DKIM >> signature. >> > Y breaking the signature isn't relevant (in this hypothesis). Y also says > when it got the message from X, X's signature was intact. That Y messed up > the signature, making Z unable to verify it directly, is not important; Z > trusts Y, so Z trusts Y's Authentication-Results: that says X's signature was > fine when it got to Y. > While messages with intact DKIM signatures of financial institutions offers reasonable protection, acceptance of broken signatures validated by some third-party's authentication-results header would impose significant risk. Any mailing list that does remove authentication-results headers would provide easy exploits of X. >> Should the policy statements be ignored at that point? >> > In this hypothesis, they could be. Or, they could be applied. If X's ADSP > says "all" or "discardable", and Z trusts Y, and Y claims X's message had a > valid signature, ADSP is satisfied. > Acceptance of DKIM messages signed by Y is likely to be less strict than those by X, and likely to overlook broken signatures or lack of authentication-results headers. However, an authorization scheme able to scale to any number of such lists using a single DNS transaction ensures X remains in control of the acceptance of their messages, without needing special private arrangements for making specific exceptions.
Since X has the most at stake, an authorization scheme would allow X to indicate which ADSP acceptance exceptions are desired. The indication could be made on behalf of X through some designated vouching service, or directly by X when they they have audited the domains being used by them. The ADSP record could include a flag to alert recipients of the existence of an added third-party authorization mechanism. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
