[ietf-dkim] Re: Responsibility concerns with DesignatedSigning
nobody at xyzzy.claranet.de
Sun Aug 27 15:25:50 PDT 2006
Hector Santos wrote:
> Subject: Check your account
> Date: Sun, 27 Aug 2006 05:04:42 -0700
> From: accounts at bank.com
> To: PoorUser at ISP.COM
> Sender: support at asp.com
> DKIM-Signature: d=bank.com # invalid 1st party
> DKIM-Signature: d=asp.com... # valid 3rd party
> According to DKIM-BASE, the valid 3PS signature would make
> this an valid DKIM message, even if the 1st party signature
As far as asp.com is concerned it is valid, no hops between you
and them manipulated the mail. Maybe one of their users got a
legit mail from bank.com and forwarded it to his mailbox behind
your MX - but then I'd expect to see a Resent-From or similar.
So from your POV it's invalid if the bank.com SSP says so, and
if you didn't forget to mention an important header field. But
your user might have arranged his forwarding via a munger, then
it's the known SPF problem.
> it is the unrestricted vs. restricted 3rd party signatures
> that we mostly differ at. Atleast that is how I see where
> the disagreement lies.
It can be both correct: Let's take a realistic example, GMail
starts to offer forwarding, but adds some ads plus their own
signature, destroying the signature of bank.com. If we have
a couple of "MUST reject" and implementations actually doing
this they might give up. Something has to give, bank.com, the
munger, the verifier, or the user.
With mail I expect the worst, the crap is dumped with a big
red "fishy" icon into the mailbox of the unhappy user. The
user will delete it unread, bank.com will give up its SSP,
the verifier gives up to use DKIM... tell me why I'm wrong.
More information about the ietf-dkim