On Mon, Nov 23, 2020 at 11:53 AM Dave Crocker <dcroc...@gmail.com> wrote:
> On 11/23/2020 11:42 AM, Brandon Long wrote: > > > > > > On Mon, Nov 23, 2020 at 11:34 AM Dave Crocker <d...@dcrocker.net > > <mailto:d...@dcrocker.net>> wrote: > > > > On 11/23/2020 11:29 AM, Brandon Long wrote: > > > The DKIM-Signature is an "ownership" thing, it's a message > > originator > > > that is saying > > > "associate this message to me". > > > > That is not DKIM's semantics: > > > > "DomainKeys Identified Mail (DKIM) permits a person, role, or > > organization to claim some responsibility for a message by > > associating a domain name" > > > > This says nothing about whether the organization has anything to do > > with > > origination. > > > > There is nothing to prohibit or preclude handling agents other than > the > > originator from signing. > > > > > > Yes, of course, a handling agent can do it, but there are plenty of > reasons > > why they shouldn't. > > Please enumerate and explain. If it's that dangerous, we should > document it, especially I don't recall that constraint being in any of > the design or standardization discussions. > DKIM often ties a domain to reputation and other anti-spam features. If you forward spam to another host and sign it while forwarding, then the other host will think you send spam. DMARC ties DKIM to the From header and at least is interpreted as being an anti-phishing feature. DKIM signing mail that you forward could mean upgrading a phishing message to passing DMARC. This recent article also goes into things that DKIM signatures imply: https://blog.cryptographyengineering.com/2020/11/16/ok-google-please-publish-your-dkim-secret-keys/ Perhaps this all means that DKIM has been used for more than it was intended for. > > > Intermediaries don't want to take ownership of the message in that > > > sense, though there > > > are some mailing lists that do. > > > > Signing with DKIM does not take 'ownership'. > > > > > > Yes, responsibility is the proper word. My point survives the word > change. > > I disagree. > > > > DKIM says the domain takes responsibility for the message, while ARC says > > the domain takes responsibility for evaluating the status of the message > > when > > they received and forwarded it. > > This implies that the word 'some' is irrelevant. It isn't. And it was > included intentionally. > Automated systems can't really tell how much responsibility an intermediary was intending to take for the message. OTOH, they typically are using it only for a certain purpose, so they assume that the intermediary took responsibility in the sense that they want... or rather, the people who wrote the code do. Or the journalist writing the story. ARC was specified to have a more specific responsibility, and as different from DKIM so that it wasn't mistaken for the uses that people were already using DKIM for. Brandon
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
