Hi. Im new here, and have been a mail server operator for quite a bit of a time.
I just got a new idea for a new internet standard - that builds upon DKIM - that should be named as DKIM-QR. And want to hear your toughts about the idea. The idea is as follows: An DKIM-compliant sender, can choose to include a QR-code in the email, as a picture. How this QR-code is generated on the sender's side (either by unique ID that loads the whole QR from a database, or by embedding the whole DKIM signature inside the src= of the image and then have server to generate the QR, or simply attaching the QR code to the email as a inline attachment) is up to the sender. The QR code's textual content should be "dkim://" followed by the content of the "DKIM-Signature:" header field, in an URL_Safe format, then followed by the content of the fields being signed in the same order as it appears in the h= field. Note here, that if full body is signed, the content of the QR code signature, and the DKIM-Signature: field, will differ by the bh=, as the email without QR-code embedded will be signed in the QR-signature, and the header DKIM-Signature will have the email WITH the QR-signature. This should be completely valid, otherwise a chicken&egg problem would appear if the signature must be a signature of itself. If the sender want to save on signing resources, he can use the l= tag to exclude the to-be-appended QR from body validation, then the sender can just copy the mail's signature from the header and append the generated QR to the email. URL-safe then means ; must be replaced with &, and all base64 strings should be converted to URL-safe format, where + is replaced by - and / is replaced by _, and any padding is removed. On the end, a &-separated list of all signed header fields should be included after a ?. The header DKIM-Signature: v=1;a=rsa-sha256;d=filmstaden.se;s=apsis;c=relaxed/relaxed; q=dns/txt; t=1639144767;h=content-type:mime-version:subject:date:message-id:to:from:fee dback-id:reply-to:list-unsubscribe-post:list-unsubscribe;bh=2hkchgJnI3p6njCQ xrjr8vXfERYte+YcbH+rnJbgtEs=;b=Ulh8/Hi1eYO4tp9TgSWVSsHvi2AE7bL48/lR+F5IcIwJu fNbaGafOMjQvj7c8+w3mkWneNskNYHJ1WBr6T+cMaUPgmiUiRRviyl2BWhmPivcfZVA/B4xSOcRW 2nMjOvWRldcrdkrz00g2XnwJwyyE02e8quaBjzODe4bTTUHWyNeap+kE9R0rAfTAcTvRYCOiqtUi tIIU6a82W10C8rXR6Atx/wIl3mQAsP6sZpGckUtCfFPPdD1n6gCS6FDav7Ss7a2DQjzhkallSWaO fQ5IpKiYqcLf1kTPdtL4Gw/TYbKzOJDHCQ3BA8HBzFDXdhwBW03pkbuwzdz+T6/caylbg== Would in QR-form become: dkim://v=1&a=rsa-sha256&d=filmstaden.se&s=apsis&c=relaxed/relaxed&q=dns_txt& t=1639144767&h=content-type:mime-version:subject:date:message-id:to:from:fee dback-id:reply-to:list-unsubscribe-post:list-unsubscribe&bh=2hkchgJnI3p6njCQ xrjr8vXfERYte-YcbH-rnJbgtEs=&b=Ulh8_Hi1eYO4tp9TgSWVSsHvi2AE7bL48_lR-F5IcIwJu fNbaGafOMjQvj7c8-w3mkWneNskNYHJ1WBr6T-cMaUPgmiUiRRviyl2BWhmPivcfZVA_B4xSOcRW 2nMjOvWRldcrdkrz00g2XnwJwyyE02e8quaBjzODe4bTTUHWyNeap-kE9R0rAfTAcTvRYCOiqtUi tIIU6a82W10C8rXR6Atx_wIl3mQAsP6sZpGckUtCfFPPdD1n6gCS6FDav7Ss7a2DQjzhkallSWaO fQ5IpKiYqcLf1kTPdtL4Gw_TYbKzOJDHCQ3BA8HBzFDXdhwBW03pkbuwzdz-T6_caylbg?multip art/alternative; boundary="----A854E1CE55B241EFA7CBBDCF4B9DFCB1"&MIME-Version: 1.0&=?UTF-8?Q?K=C3=B6p_biljetter_idag_till_The_Matrix_Resurrections!?=&Fri, 10 Dec 2021 14:59:29 +0100&329fc538580440abb21e9f4858643...@filmstaden.se&"Sebastian Nielsen" <sebast...@sebbe.eu>&"Filmstaden Medlem" <medlem.no-re...@filmstaden.se>&********:*********************:*-1:apsis&med lem.no-re...@filmstaden.se&List-Unsubscribe=One-Click&<https://www.anpdm.com /oa-auto/********/**************************>,<mailto:del...@apsis.com?subje ct=UnReg:*******::********************************::*> And now to why this would be useful: An receiver of an email, could then scan the QR code with his mobile phone, and the mobile app would do the validation against public DNS. This, if this would become a standard, could be even implemented built-in in phones. The validation popup should be part of phone, not a web page, indicate if signature validation is OK, which domain that signed (d= of the DKIM signature), and the content of the fields "From", "To", "Date", "Subject" - if those fields were signed. This allows a user, to be able to DKIM validate an email EVEN if the receiving system has no support for DKIM validation at all, neither the client or receiving mail server. This would increase trust for email, as users that suspect an email with an embedded link is phishing, could easily scan the QR code with his mobile phone, and instantly know the email is legit. Security considerations: If a phisher steals the QR code, he would not be able to use it, because the Date: will be different. It would be immediately clear to the receiver that its an old signature that have been wrongly reused. Since the To: is included in the validation popup, it would also be evident to the original user that the To: address doesn't match. And misusing a QR for one email, to send a phishing email with another content, would also be evident either by the subject tag not matching the content of the email, or the subject tag not matching whats shown in validation popup. There is a risk that someone might include a malicious link instead of dkim:// in QR-code, but since all the QR scanner apps today ask the user if they want to open the link, the danger decreases. Also another thing is that mobile phones are today inherently more secure, as they, unless configured, will refuse to install binaries from unknown sources and isolate apps from each other, meaning that even if a dangerous link would be mistakenly opened, nothing would install without clicking through multiple consent windows. This would bring DKIM more to the masses, by senders being able to put in a "Scan-To-Verify" DKIM-QR in emails, also prompting users to verify their emails. Would love to hear the toughts about the idea. Best regards, Sebastian Nielsen
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
