[ietf-dkim] DKIM Threat Assessment v0.02 (very rough draft)
Michael Thomas
mike at mtcc.com
Tue Aug 9 17:02:53 PDT 2005
Earl Hood wrote:
> On August 9, 2005 at 15:42, Michael Thomas wrote:
>
>
>>>This is precisely what DKIM does. It is the domain administrator who defin
>>
>>es
>>
>>>the DNS records used by DKIM and DKIM's granularity of the validated identi
>>
>>ty is
>>
>>>a domain name.
>>
>>That is not correct. The local part of the i= is intended to
>>provide a binding to the local part of outside origination
>>headers, not just the domain part. Which is why it is,
>>in fact, a primary goal.
>
>
> The setting of i= is under the control of the signing agent, which
> does not have to be the author/sender. If I understand Dave's (and
> some others) view of DKIM, it is the domain owner who has the control
> of setting i= (via the domain owner's signing process).
Yes.
> The granularity of the value of i= is solely up to the domain owner
> and the internal (security) policies it defines when signing messages
> submitted by the domain owner's users.
Yes. I'm only objecting to the characterization that the
granularity is only at the domain level. The domain can
make assertions about the local part and still be completely
up to the internal policies of the domain holder. This is
one reason that the assertion that DKIM makes and PGP/SMIME
are very different assertions.
> The strength of the identity specified in i= is completely up to the
> domain owner, and only has meaning to the domain owner. As noted in
> the DKIM draft, the value of i= may not represent any address value
> in a message header (e.g. rfc2822.from/sender).
Yes, but when it does, it has significance in what the
signature is asserting.
Mike
More information about the ietf-dkim
mailing list