On 6 May 2019, at 17:10, Grant Taylor wrote: > On 5/3/19 2:02 PM, Bill Cole wrote: >> If the signer domain and the From header domain match, a valid DKIM >> signature that includes the From header is authentication of the From header >> to the limits of DNS trustworthiness and trust in the integrity of the >> domain's authority. > > Which section of RFC 6376 supports this statement?
The parts that use the word "domain." There is a basic premise grounded in the the definition of domain names and buttressed by the use of domain names in effectively everything else that domains have a unitary executive: that the entity which publishes a public key in a DKIM record, the entity that signs mail with the corresponding private key, and the entity that controls the email local-part namespace for the domain are all one entity, as far as the world is concerned. > I just re-read large chunks of RFC 6376 and see verbiage that states the > opposite. All of which seem to me to specifically avoid drawing any > conclusion about the authorship of a message within the context of DKIM. > Further, such conclusions are left to other things making policy decisions > based on DKIM results. > > | § 3.11 - Relationship between SDID and AUID > | > | INFORMATIVE DISCUSSION: This document does not require the value > | of the SDID or AUID to match an identifier in any other message > | header field. > > DKIM does not require SDID or AUID to match any other header field. As such, > DKIM itself can't be relied upon as authentication of other header fields. Non sequitur. DKIM itself does not require any sort of match. It is entirely valid for a signer to sign with a key whose domain is unrelated to any domain in the message or its envelope. However, in ALL cases the DKIM signer is claiming responsibility for the message being signed. What that claim is worth in all cases is not specified by DKIM. In a special case (DKIM signer domain = From address domain) the conceptual nature of the DNS implies that the claim of responsibility is de facto authentication. > | This requirement is, instead, an Assessor policy issue. > > Per § 2.7, the Identity Assessor "consumed DKIM's payload" which tells me > that it is not part of DKIM. I believe that "Other DKIM (and non-DKIM) > values can also be used by the Identity Assessor…." supports the fact that > the Identity Assessor is external to DKIM. Yes. This does not mean that it does not exist or that it doesn't need to follow some basic rules. SpamAssassin has a DKIM_VALID_AU rule because a basic rule it understands about assessing identity is that a domain signer should know whether a From in its domain is valid. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Available For Hire: https://linkedin.com/in/billcole
signature.asc
Description: OpenPGP digital signature
