[ietf-dkim] Not exactly not a threat analysis
tlr at w3.org
Tue Aug 16 13:10:34 PDT 2005
(Catching up on list traffic, hence the late response...)
On 2005-08-14 22:30:01 -0700, Dave Crocker wrote:
> There is nothing in an ordinary email message, except for
> the RCPT TO line and the IP address of the host that sent it
> to you, that is a reliable identifier. A validated DKIM
> signature lets you take some reasonable subset of the
> message you received and know that it came from a designated
> source. The main benefit of DKIM is that a validating agent
> can know where the message came from. This is more
> reliability than email source identification has ever had
> How do folks feel about this characterization of DKIM?
What does "know that a message came from a designated source" mean?
There are (at least) two possible interpretations of these words.
One interpretation is that the recipient knows that the sender sent
this particular instance of the message to him. To make this
happen, one would probably want to sign
(message-id, message-hash, envelope sender, envelope recipient)
tuples (maybe with RFC2822.from instead of SMTP.mailfrom) -- making
the (strong) assumption that message-IDs, all other elements being
equal, can serve to disambiguate between different chains of SMTP
transactions. DKIM does not do this.
The other interpretation would be that a given sender has approved a
certain message for sending -- period. No assurance about the
recipient or binding to a particular transaction is given. Signing
the To header does not provide this kind of assurance.
This is rather limited assurance is all that DKIM gives, and any
description of the protocol should very careful to make clear that
this interpretation is intended, not the first one above.
Thomas Roessler, W3C <tlr at w3.org>
More information about the ietf-dkim