[ietf-dkim] Delegated signatures in real life

[Steve Atkins]

On Aug 29, 2006, at 4:41 PM, Hallam-Baker, Phillip wrote:

> Orbitz might not care about the security issues raised by allowing  
> doubleclick to sign messages on behalf of their CEO and other  
> executives. Many others will.

Why is that a security issue?

As I understand it, email sent by ceo at orbitz.com where he
wants to assert that he is the author will use S/MIME or similar.

Domainkeys and friends specify who has taken responsibility for
an email, not the identity of the author. Anyone prepared to take
responsibility either directly or indirectly (by sharing their private
key or delegating control over some subset of their key publication)
can take do that.

So... the idea that DomainKeys would be used to "sign" email, in
an S/MIME or PGP sort of sense, on behalf of an individual seems
somewhere between meaningless and nonsensical.

What am I missing here?

Cheers,
   Steve

>
> This is a security area spec, least privilege must apply wherever  
> possible.
>
>> -----Original Message-----
>> From: ietf-dkim-bounces at mipassoc.org
>> [mailto:ietf-dkim-bounces at mipassoc.org] On Behalf Of John L
>> Sent: Tuesday, August 29, 2006 6:18 PM
>> To: DKIM List
>> Subject: [ietf-dkim] Delegated signatures in real life
>>
>> Here's the headers from a message that Doubleclick just sent
>> to my Yahoo account on behalf of Orbitz.  Note that the From:
>> address and DK signature are in email.orbitz.com, even though
>> it was sent by Doubleclick from a Doubleclick IP.  Yahoo
>> thoughfully displayed a little now saying that the DK
>> signature was good when I looked at the message.  I also
>> include the key record, retrieved from Doubleclick's name servers.
>>
>> Senders already use NS delegation to let third parties put on
>> first party DK signatures.  It works.  It's popular.  There
>> is no need to invent another way to solve this solved problem.
>>
>> Regards,
>> John Levine, johnl at iecc.com, Primary Perpetrator of "The
>> Internet for Dummies", Information Superhighwayman wanna-be,
>> http://www.johnlevine.com, Mayor "More Wiener schnitzel,
>> please", said Tom, revealingly.
>>
>>
>> X-Apparently-To: jrlevine2 at yahoo.com via 206.190.38.154; Tue,
>> 29 Aug 2006 07:42:48 -0700
>> X-Originating-IP: [198.31.62.19]
>> Authentication-Results: mta162.mail.mud.yahoo.com
>>    from=email.orbitz.com; domainkeys=pass (ok)
>> Received: from 198.31.62.19  (EHLO mta.email.orbitz.com)
>> (198.31.62.19)
>>    by mta162.mail.mud.yahoo.com with SMTP; Tue, 29 Aug 2006
>> 07:40:52 -0700
>> DomainKey-Signature: s=dk; d=email.orbitz.com; c=nofws;
>> q=dns;
>> b=nUvGhBPdC8bKVo8E/nLbHWcPJE7mFu83ePkSkmcE91EYdNUb7Wl4emekvK3t
>> kHzRCu1u94C7oWy5xX/HOjRBOkudiRdnWaTMkZmHypYllnuyUX71y7WhkeojckSbInn6;
>> Date: Tue, 29 Aug 2006 10:40:32 -0400 (EDT)
>> From: "Orbitz"<Orbitz at email.orbitz.com>
>> To: jrlevine2 at yahoo.com
>> Subject: Joe, Sale Ending & Rochester Flights from $142 r/t
>> MIME-Version: 1.0
>> Content-Type: text/html; charset="us-ascii"
>> Content-Transfer-Encoding: 7bit
>> Content-Length: 6278
>>
>> (look for the key record)
>>
>> $ dig dk._domainkey.email.orbitz.com txt
>>
>> ; <<>> DiG 9.3.1 <<>> dk._domainkey.email.orbitz.com txt ;;
>> global options:  printcmd ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23293 ;;
>> flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;dk._domainkey.email.orbitz.com.        IN      TXT
>>
>> ;; ANSWER SECTION:
>> dk._domainkey.email.orbitz.com. 21600 IN TXT
>> "p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhALdLXrYpY2RRUPHr6ph9jVnrFAY
>> vyNjEgGVRmxjiu2EUBEyQDKFOSiDzS00xN/HaIt5IknLJumgu/YdaHhHAgsnnO
>> RUV1JwDcOZ3Xo3Iz9cT3ojg4us6SpQhl01dVGS6dwIDAQAB\;"
>>
>>
>> _______________________________________________
>> NOTE WELL: This list operates according to
>> http://mipassoc.org/dkim/ietf-list-rules.html
>>
>>
>
> _______________________________________________
> NOTE WELL: This list operates according to
> http://mipassoc.org/dkim/ietf-list-rules.html