[ietf-dkim] Nits with section 3 Operation Overview

Douglas Otis dotis at mail-abuse.org
Tue Oct 30 14:28:12 PST 2007 

On Oct 30, 2007, at 12:42 PM, Arvel Hathcock wrote:

> Just one suggestion.    I would rewrite the second sentence like this:
>
>  "This practice would be used by those domains who wish to  
> emphasize security over deliverability of their messages."

Unless the "From" field is specifically asserted as always signed,  
including other originating headers would allow spoofing of email- 
addresses within the particular domain by other domains.  However,  
this type of assertion interferes with deliverability of messages  
from various mailing lists.  If the assertion is intended to  
encompass both Sender and From fields as a type of escape mechanism,  
this would be expecting adoption of a strategy similar to that used  
by Microsoft where the MUA displays within the From field, "From:  
<sender-address> on behalf of <from-address>".  This synthetic field  
causes some confusion and angst as it is seen differently depending  
upon the MUA.  Of course the MUA could always display the Sender  
header, but then it could be confusing which field companies a valid  
signature.  Perhaps a green background placed behind any email  
addresses within a valid domain signature would be adequate.

The issue whether the i= identity has been validated in some fashion  
can not be answered without some specific additional assertion added  
to DKIM.  This assertion, if any are created, should be added to the  
Key if and when this becomes a requirement.  Don't expect this  
requirement to prove useful.  It would seem that the i= parameter  
within the signature field should become deprecated, as signers are  
likely to routinely add this to avoid deliverability or display  
issues.  If there is an inter-domain problem, this is something the  
signing domain needs to correct.  It would seem okay to simply say  
that highlighting any email-address be done whenever the domain is  
within a valid signing-domain, and ignore the issue of i=?.

For example, a message is signed-

  Sender: admin at example.com
  From: boss at example.com
  Dkim-signature: i=boss at example.com; d=example.com;...

Would the i= parameter invalidate the the admin at example.com address?
How should the synthetic "on behalf of" header be highlighted.

The i= parameter is a mess and should be deprecated at this point.

-Doug

More information about the ietf-dkim mailing list