> On May 21, 2016, at 8:45 AM, Jim Popovitch <jim...@gmail.com> wrote: > > On Fri, May 20, 2016 at 5:21 PM, Michael Rathbun <m...@honet.com> wrote: >> On Fri, 20 May 2016 17:00:37 -0400, Jim Popovitch <jim...@gmail.com> wrote: >> >>> Give me a (real world) example of how 2 DKIM sigs will be in the same >>> email msg and both sigs will verify. >> >> Here are two: >> >>> Authentication-Results: mx.google.com; >>> dkim=pass (test mode) header.i=@humblebundle.com; >>> dkim=pass (test mode) header.i=@dynect.net; >> >>> Authentication-Results: mx.google.com; >>> dkim=pass header.i=@cpro30.com; >>> dkim=pass header.i=@morningconsult.com; >> > > > That's quite vague. What was signed by each key? When most people > think of DKIM they think of a DKIM key being used to guarantee that > parts of a message haven't been modified in transit.
If they do, they're thinking about it wrong. DKIM is *not* about message integrity, it's about someone taking responsibility for the message in a way that is provable by a third party. Or, if you prefer a more mechanical model, it's about attaching an unforgeable identifier to a message so that that identifier can be used as a key to track the history of the email author. That it does that partly by using a cryptographic signature that includes some subset of the content is an implementation detail that's only there to mitigate replay attacks. > So, for this > discussion, I think it's important to identify the parts of the > message that are being signed, no? Not generally, no. But that info is in the DKIM-Signature headers if you want it. Cheers, Steve _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
