On Sat, May 21, 2016 at 12:23 PM, Steve Atkins <st...@blighty.com> wrote: > >> On May 21, 2016, at 8:45 AM, Jim Popovitch <jim...@gmail.com> wrote: >> >> On Fri, May 20, 2016 at 5:21 PM, Michael Rathbun <m...@honet.com> wrote: >>> On Fri, 20 May 2016 17:00:37 -0400, Jim Popovitch <jim...@gmail.com> wrote: >>> >>>> Give me a (real world) example of how 2 DKIM sigs will be in the same >>>> email msg and both sigs will verify. >>> >>> Here are two: >>> >>>> Authentication-Results: mx.google.com; >>>> dkim=pass (test mode) header.i=@humblebundle.com; >>>> dkim=pass (test mode) header.i=@dynect.net; >>> >>>> Authentication-Results: mx.google.com; >>>> dkim=pass header.i=@cpro30.com; >>>> dkim=pass header.i=@morningconsult.com; >>> >> >> >> That's quite vague. What was signed by each key? When most people >> think of DKIM they think of a DKIM key being used to guarantee that >> parts of a message haven't been modified in transit. > > If they do, they're thinking about it wrong. DKIM is *not* about message > integrity, it's about someone taking responsibility for the message in > a way that is provable by a third party. Or, if you prefer a more mechanical > model, it's about attaching an unforgeable identifier to a message so that > that identifier can be used as a key to track the history of the email > author.
Email is multi-faceted. I really don't think there is any one person who has seen all sides and knows whats best for all sides. Correct me if I am wrong (with details please). ESPs are the only ones using 2 or more DKIM sigs, and one or more of those DKIM sigs is just an identifier injected along the way, that seeks to verify the middle-man by signing zero or a few headers (but not any headers wrt deliverability, hops, received lines, etc.) > That it does that partly by using a cryptographic signature that includes > some subset of the content is an implementation detail that's only there to > mitigate replay attacks. That "subset" is the part that interests me. >> So, for this >> discussion, I think it's important to identify the parts of the >> message that are being signed, no? > > Not generally, no. But that info is in the DKIM-Signature headers > if you want it. I do want it, and since MDR provided the incomplete example I was asking him to provide the rest. -Jim P. _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
