On Thu, 28 Apr 2011 20:00:33 +0100, Rolf E. Sonneveld <[email protected]> wrote:
> On 4/28/11 7:38 PM, Murray S. Kucherawy wrote: >> Thus it is with DKIM. DKIM sits on top of RFC5322 and related message >> format specs, which in turn sit on top of SMTP, which sits on top of >> TCP, which sits on top of IP, which sits on top of Wi-Fi or Ethernet, >> etc. DKIM delivers the "d=" and other stuff to the next layer up. It >> doesn't know or care what that "d=" is other than its use to complete >> the key retrieval step. The next layer up, i.e. what sits on top of >> DKIM, is the one that is free to compare "d=" to From: or whatever else >> it wants to do. That's not DKIM, that's ADSP or domain reputation or >> whatever other application we want to come up with that makes use of >> the output of DKIM. > > Right. I strongly believe in the layered approach. However, that's > exactly the problem here. Like with IP and SMTP and any layered > application, the upper layer is dependent on what the lower layer > provides it with. If DKIM only enforces: > > d= and > verification status > > to be output, then the layered applications you describe (ADSP, domain > reputation, whatever) doesn't (always) have the means to do their job. Indeed so. The task of DKIM is to express a *reliable* opinion on the validity of a signature. All it can say is "PASS" or "FAIL" (actually PERMFAIL or TEMPFAIL) and quote the 'd=' and 'h=' tags which it is affirming. No Ifs or Buts. BUT the higher layers include not ony the assessor (which will surely be DKIM-aware) but all the subsequent agents through which it may pass (notably the recipient's MUA) which are likely less DKIM-aware; but all of them need to *rely* in some way on the verifier's assessment. Therefore, it there is any possibility that subsequent agents will misinterpret the assurance given or implied to them, then it is much better for the verifier to report "FAIL" which, to agents beyond the assessor, indicates that no *reliable* signature was seen. -- Charles H. Lindsey ---------At Home, doing my own thing------------------------ Tel: +44 161 436 6131 Web: http://www.cs.man.ac.uk/~chl Email: [email protected] Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
