[ietf-dkim] DKIM does not claim content is correct

[Dave CROCKER]

Suresh Ramasubramanian wrote:
> Doesnt have to sign *all* - but some key fields like an authenticator
> and/or received headers that stamp Received: from (foo at localhost) say
...
> Yes I know dkim doesnt validate content .. grandma v/s botmaster is
> reputation hijack, an entirely different kettle of fish and not
> germane here.


My point was more basic than whether the signer can be subverted.

My point is that DKIM semantics do not include a statement about the 
truthfulness of *any* message data, except the d= and probably the i= tags in 
the DKIM-Signature: field.

It provides data integrity, for the portions covered by the hash, and it 
authenticates the asserted "signing identity".  It does *not* assert 
authorization of the From: field.

Given the community tendency to make assumptions about DKIM that aren't in the 
specification, this really is worth being extremely careful about.

d/
-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net