[ietf-dkim] The (really) latest SSP draft

[Charles Lindsey]

On Fri, 19 Oct 2007 20:07:30 +0100, Douglas Otis <dotis at mail-abuse.org>  
wrote:

> On Oct 19, 2007, at 8:46 AM, Jim Fenton wrote:

>> 4871 indeed uses a broad notion of "responsibility".  However, in the  
>> case where the signing address is the same* as some other header field,  
>> such as 2822.From, I don't see how a signer can be responsible for a  
>> message that uses its own address without an implied claim that the  
>> address is correct.
>>
>> * "same" meaning that the i= address is either the identical, or that  
>> the i= address has the same domain if i= has no specified local part.
>
> It would be a bit more accurate to use the term "signing domain", rather  
> than "signing address".  An address (the i= parameter) is optional,  
> after all.
>
> The optional i=  parameter represents the identity of the user or agent  
> (e.g., a mailing list manager) on who's behalf the message was signed.   
> The base specification makes no statement that this optional parameter  
> SHOULD NOT be applied when the user or agent identity has not been  
> validated.  (See the informative note about whether the i= parameter can  
> be trusted.)  Without a stipulation that the i= parameter MUST BE  
> validated, and exactly which validation mechanisms must be used within  
> the base specification, it would be a significant change to assume  
> inclusion of the i= parameter thereby confers responsibility to validate  
> identities onto signing domains.  There are also cases where the i=  
> parameter can not be applied, such as when the signing domain is within  
> a sub-domain of the identity, or when the identity is within another  
> domain.  Would you envision the blocking of messages which did not  
> include the i= parameter containing the local-part?

I think these questions are best addressed by examining scenarios where a  
signed message somehow does NOT originate from its purported From: (or  
Sender:), and whether the signer OUGHT (whatever that means) to have taken  
more care.

So, for an extreme example, suppose example.com is running an open relay  
and happily signs everything that passes through. So any scammer who wants  
to pretend to be From: someone at example.com simply submits his message to  
that open relay, and it comes out signed. I think we would all agree that  
example.com is being grossly irresponsible in that situation, whether he  
has technically breached 4871 or not. And if 4871 does allow that  
behaviour, then it is surely too weak, since the minimum that a signature  
shoudl imply is that this message did indeed originate within our domain.

But, to go further, if the signer goes to the trouble of including an "i="  
(which he is not obliged to do), then surely recipients are entitled to  
assume he did so for some good reason. So if he said  
i=subdomain.example.com, then surely the From/Sender can be expected to be  
 from that subdomain; and if he said i=someone at example.com, then surely  
recipients can assume that 'someone' had indeed played some part in  
sending it.

Otherwise, what is the point of signatures?

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5