[ietf-dkim] Re: Responsibility vs. Validity
dotis at mail-abuse.org
Wed Nov 28 14:48:28 PST 2007
On Nov 28, 2007, at 1:58 PM, Jim Fenton wrote:
> It seems that my language wasn't precise enough, so let me take
> another shot at it.
> It has been noted that when a signing domain "claims responsibility
> for the introduction of a message into the mail stream" it is not
> actually asserting the validity of any part of the message. This is
> relevant to SSP because it has a dependency on whether the Signing
> Address (i= address or its default) matches the address in the From:
> header field.
> I propose to solve that problem by adding language similar to the
> following to the SSP draft:
>> Domains publishing SSP records indicating practices other than
>> "unknown" MUST ensure the validity [correctness] of the address in
>> the From: header field for messages to which they apply an
>> Originator Signature.
> In other words, before applying an Originator Signature, make sure
> the message isn't spoofed.
Mailing-lists should still be able to sign their outbound messages!
I think you mean "Do not include the localpart within the i= parameter
when the email-address within the From header has not been
What about Sender and Resent-* headers?
Why not say: "Do not include the localpart within the i= parameter
when the email-address has not been authenticated." It does not
really matter which header is contains a matching domain for which the
signature is being added.
This is not defined within the base draft where this added condition
appears to be a significant change.
Are DKIM signing MTAs even able to make these authentication assurances?
Should the i= parameter be forced to exclude localparts when this
email-address authentication assurance can not be made?
Secondly, how would you classify the possibility for spoofing when MUA
keys employ partial g= restrictions?
More information about the ietf-dkim