[ietf-dkim] Broken signatures, was Why mailing lists should strip them
vesely at tana.it
Wed Apr 28 09:58:21 PDT 2010
On 28/Apr/10 12:58, SM wrote:
> At 11:27 27-04-10, Alessandro Vesely wrote:
>>At any rate, all what I'm trying to say is that a few certified
>>fields, e.g. "From:", "To:", and "Date:", are more useful than a
>>broken signature, in most cases.
> Yes, they are. RFC 4871 describes what is being covered by the DKIM
> Signature. For the sake of the discussion, I'll overlook that.
The term "integrity" only appears in the abstract.
> It would be good to have these fields certified by limiting the DKIM
> signature to cover them only. There are cases where we will still
> end up with a broken signature though.
Do you have specific examples? Could a "mellowed" canonicalization
cope with them?
> In a one to one exchange, let's presume that the message won't be reinjected.
(but snooping is possible)
> It's different
> for an open mailing list as you any of the subscribers can reuse what
> has been certified and add their own content. In simple terms, you
> are providing a blind certificate by only (DKIM) signing those fields.
Yes, I am, but with added constraints with respect to what they can do
using no signature at all. The "Date" constraint may result in badly
positioning those replayed messages. Wrong "To" fields make a message
suspect. In addition, spammers don't seem to be seeking the increased
likelihood of being opened that messages could get if their "From"
values were familiar to the recipients.
> We could use this blind certification for one to one exchanges. If
> the recipient's account or any of the hops through which the message
> transits is compromised, there will be abuse. That's already
> happening by the way.
Replay attacks? Spam is also happening. As an email user, I'm not
overly worried about spoofed signatures: They are not legally binding,
and I trust human recipients are able to distinguish fake messages in
case they occur. I'm not easing spammers' job by signing mail, even
though I'd use weaker signatures for increased resiliency. In facts,
the backscatter I get is not signed.
> I would caution anyone against using such a
> certification for mailing lists as they will be providing a means for
> anyone to affix their DKIM signature to new content. I am not
> recommending "l=0".
The reason I'm also reluctant to recommend it is because restrictive
acceptance policies may discard such messages, as John mentioned. The
same concern also applies to possible weaker canonicalizations: would
receivers be tempted to rule them out? I think receivers should trust
the signing policies that senders devise for the messages they send.
It is true that by the 80%-20% criterion DKIM may work without l=0.
However, it breaks mailing list traffic and MIME-conformant forwarding
(compare that to SPF.) Do we aim at 100%?
More information about the ietf-dkim