[ietf-dkim] DKIM does not claim content is correct
dhc at dcrocker.net
Wed Jan 28 06:12:48 PST 2009
Suresh Ramasubramanian wrote:
> Doesnt have to sign *all* - but some key fields like an authenticator
> and/or received headers that stamp Received: from (foo at localhost) say
> Yes I know dkim doesnt validate content .. grandma v/s botmaster is
> reputation hijack, an entirely different kettle of fish and not
> germane here.
My point was more basic than whether the signer can be subverted.
My point is that DKIM semantics do not include a statement about the
truthfulness of *any* message data, except the d= and probably the i= tags in
the DKIM-Signature: field.
It provides data integrity, for the portions covered by the hash, and it
authenticates the asserted "signing identity". It does *not* assert
authorization of the From: field.
Given the community tendency to make assumptions about DKIM that aren't in the
specification, this really is worth being extremely careful about.
More information about the ietf-dkim