On 5/11/10 7:37 AM, Serge Aumont wrote: Serge, > -Sympa include DKIM signature verification and use DKIM signature > status in the process of message submission and email commands > -it remove broken pre-existing DKIM signature and keep others as is > (not all messages are processed in way that brake signature) > -it reject message comming from author ADSP record is discardable > and if the process of message by the MLM brakes signature. This > prevent brodcasting of a message that should be discarded by final > recipients. > -it add it's own signature (on per list configuration parameter) > -it sign MLM services messages and digest. > - etc Why limit rejection to ADSP "discardable" and not include ADSP "all"? Why would it be okay to accept messages having ADSP "all" that lack a valid Author Domain Signature?
BTW, ADSP "discardable" does not imply the desire to have messages rejected, especially from a MLM application running post acceptance. > I notice a good idea : as Sympa verify incomming DKIM signature it > should add a [AUTH-RESULTS] header field ; this header should be part > of the DKIM signature added by the MLM engine. I will add this feature > in Sympa in a near future. In respect to Auth-Results, when is it safe to assume MLM applications ensure compliance with ADSP? > > Section 4.2 > > "Verifiers that receive mail bearing DKIM signatures that fail to > verify might benefit from attempting to detect that such mail passed > through a non-participating MLM and then decide not to apply [ADSP] in > order to avoid aggressive filtering of mail that should otherwise have > been delivered.". > > This proposition may introduce a security issue : spammers could fake > an sender email and a MLM engine in order to bypass ADSP from a > particular domain. This proposition is a limit of what "ADSP > discardable" mean. If we accept this idea that the final verifier may > not test ADSP because the message comes from an non DKIM MLM, "ADSP > discardable" is not usefull anymore. We all known that the use case of > "ADSP discardable" is really limited. Agreed. When ADSP requires alternative domains to be compliant with third-party services, this lessens security. Essentially, this approach requires recipients to ignore the From header and to pay attention to an unseen DKIM signature perhaps without an indication of it being valid. > Please remove this paragraph from this draft. How would removing this paragraph change signing behaviors in a way that improves security? > > *Section 3.4* > > At last, another idea usefulness is that draft in * :* > "A possible mitigation to this incompatibility is use of the "l=" tag > to bound the portion of the body covered by the body hash, but this > has security considerations (see Section 3.5 of [DKIM])." > > The "l=" tag is one of the worth idea of DKIM if introduced because of > message body footer added by some MLM. MLM must not add anything after > the end of a message because this break Mime content. When adding a > footer, MLM should add an extra mime part, and this often require to > modify mime headers. So "l=" tag should not ne considered as an > efficient way to protect DKIM signature. > > I known that the problem is comming from rfc-4871 but I propose to > remove this sentence from this draft. Would you also suggest a practice of not altering the Subject line, or of not providing uniform message formats? It seems unlikely there is a desire to have these features removed from most mailing-lists. Would you be interested in an alternative mechanism requiring the same overhead as for ADSP, that eliminates a need to change any MLM handling? If ADSP is worth doing, why is it not worth doing in a way that increases security? s/brake/break/ -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
