How do you scan the QR code when the majority of people use their phones
to read the email?
Matt
On 2021-12-11 3:16 p.m., Sebastian Nielsen via mailop wrote:
Hi.
Im new here, and have been a mail server operator for quite a bit of a
time.
I just got a new idea for a new internet standard – that builds upon
DKIM – that should be named as DKIM-QR.
And want to hear your toughts about the idea.
The idea is as follows:
An DKIM-compliant sender, can choose to include a QR-code in the
email, as a picture. How this QR-code is generated on the sender’s
side (either by unique ID that loads the whole QR from a database, or
by embedding the whole DKIM signature inside the src= of the image and
then have server to generate the QR, or simply attaching the QR code
to the email as a inline attachment) is up to the sender.
The QR code’s textual content should be “dkim://” followed by the
content of the “DKIM-Signature:” header field, in an URL_Safe format,
then followed by the content of the fields being signed in the same
order as it appears in the h= field.
Note here, that if full body is signed, the content of the QR code
signature, and the DKIM-Signature: field, will differ by the bh=, as
the email without QR-code embedded will be signed in the QR-signature,
and the header DKIM-Signature will have the email WITH the
QR-signature. This should be completely valid, otherwise a chicken&egg
problem would appear if the signature must be a signature of itself.
If the sender want to save on signing resources, he can use the l= tag
to exclude the to-be-appended QR from body validation, then the sender
can just copy the mail’s signature from the header and append the
generated QR to the email.
URL-safe then means ; must be replaced with &, and all base64 strings
should be converted to URL-safe format, where + is replaced by – and /
is replaced by _, and any padding is removed.
On the end, a &-separated list of all signed header fields should be
included after a ?.
The header DKIM-Signature:
v=1;a=rsa-sha256;d=filmstaden.se;s=apsis;c=relaxed/relaxed; q=dns/txt;
t=1639144767;h=content-type:mime-version:subject:date:message-id:to:from:feedback-id:reply-to:list-unsubscribe-post:list-unsubscribe;bh=2hkchgJnI3p6njCQxrjr8vXfERYte+YcbH+rnJbgtEs=;b=Ulh8/Hi1eYO4tp9TgSWVSsHvi2AE7bL48/lR+F5IcIwJufNbaGafOMjQvj7c8+w3mkWneNskNYHJ1WBr6T+cMaUPgmiUiRRviyl2BWhmPivcfZVA/B4xSOcRW2nMjOvWRldcrdkrz00g2XnwJwyyE02e8quaBjzODe4bTTUHWyNeap+kE9R0rAfTAcTvRYCOiqtUitIIU6a82W10C8rXR6Atx/wIl3mQAsP6sZpGckUtCfFPPdD1n6gCS6FDav7Ss7a2DQjzhkallSWaOfQ5IpKiYqcLf1kTPdtL4Gw/TYbKzOJDHCQ3BA8HBzFDXdhwBW03pkbuwzdz+T6/caylbg==
Would in QR-form become:
dkim://v=1&a=rsa-sha256&d=filmstaden.se&s=apsis&c=relaxed/relaxed&q=dns_txt&t=1639144767&h=content-type:mime-version:subject:date:message-id:to:from:feedback-id:reply-to:list-unsubscribe-post:list-unsubscribe&bh=2hkchgJnI3p6njCQxrjr8vXfERYte-YcbH-rnJbgtEs=&b=Ulh8_Hi1eYO4tp9TgSWVSsHvi2AE7bL48_lR-F5IcIwJufNbaGafOMjQvj7c8-w3mkWneNskNYHJ1WBr6T-cMaUPgmiUiRRviyl2BWhmPivcfZVA_B4xSOcRW2nMjOvWRldcrdkrz00g2XnwJwyyE02e8quaBjzODe4bTTUHWyNeap-kE9R0rAfTAcTvRYCOiqtUitIIU6a82W10C8rXR6Atx_wIl3mQAsP6sZpGckUtCfFPPdD1n6gCS6FDav7Ss7a2DQjzhkallSWaOfQ5IpKiYqcLf1kTPdtL4Gw_TYbKzOJDHCQ3BA8HBzFDXdhwBW03pkbuwzdz-T6_caylbg?multipart/alternative;
boundary="----A854E1CE55B241EFA7CBBDCF4B9DFCB1"&MIME-Version:
1.0&=?UTF-8?Q?K=C3=B6p_biljetter_idag_till_The_Matrix_Resurrections!?=&Fri,
10 Dec 2021 14:59:29
+0100&329fc538580440abb21e9f4858643...@filmstaden.se&"Sebastian
Nielsen" <sebast...@sebbe.eu>&"Filmstaden Medlem"
<medlem.no-re...@filmstaden.se>&********:*********************:*-1:apsis&medlem.no-re...@filmstaden.se&List-Unsubscribe=One-Click&<https://www.anpdm.com/oa-auto/********/**************************>,<mailto:del...@apsis.com?subject=UnReg:*******::********************************::*>
And now to why this would be useful:
An receiver of an email, could then scan the QR code with his mobile
phone, and the mobile app would do the validation against public DNS.
This, if this would become a standard, could be even implemented
built-in in phones.
The validation popup should be part of phone, not a web page, indicate
if signature validation is OK, which domain that signed (d= of the
DKIM signature), and the content of the fields “From”, “To”, “Date”,
“Subject” – if those fields were signed.
This allows a user, to be able to DKIM validate an email EVEN if the
receiving system has no support for DKIM validation at all, neither
the client or receiving mail server. This would increase trust for
email, as users that suspect an email with an embedded link is
phishing, could easily scan the QR code with his mobile phone, and
instantly know the email is legit.
Security considerations:
If a phisher steals the QR code, he would not be able to use it,
because the Date: will be different. It would be immediately clear to
the receiver that its an old signature that have been wrongly reused.
Since the To: is included in the validation popup, it would also be
evident to the original user that the To: address doesn’t match.
And misusing a QR for one email, to send a phishing email with another
content, would also be evident either by the subject tag not matching
the content of the email, or the subject tag not matching whats shown
in validation popup.
There is a risk that someone might include a malicious link instead of
dkim:// in QR-code, but since all the QR scanner apps today ask the
user if they want to open the link, the danger decreases.
Also another thing is that mobile phones are today inherently more
secure, as they, unless configured, will refuse to install binaries
from unknown sources and isolate apps from each other, meaning that
even if a dangerous link would be mistakenly opened, nothing would
install without clicking through multiple consent windows.
This would bring DKIM more to the masses, by senders being able to put
in a “Scan-To-Verify” DKIM-QR in emails, also prompting users to
verify their emails.
Would love to hear the toughts about the idea.
Best regards, Sebastian Nielsen
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
