Thoughts on third-party signatures

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Tue, 14 Sep 2010 21:05:03 -0700 (PDT)

The working group that develops DKIM protocols has frequent and protracted
discussions about what third-party signatures (i.e. those where the
signing domain doesn't match the domain in the From: field of the message)
should mean to verifiers. I'd like to get a feel for what our user base
thinks about them. This will feed into the discussion as well as into
some experiments I'm considering for those that might wish to participate.

Some background: The DKIM specification itself makes no binding between
the signing domain and the From: domain. That means anyone can sign
anyone's mail as a way of saying, "We take some responsibility for this
message." A receiver is free to use this information however it sees fit;
the specification only says that a verifier should treat a message with an
invalid signature the same way it treats a message with no signature.

Local policy is left to local sites to decide. In some sense, DKIM
provides information about the message to the receiver, and then the
receiver does whatever it wants.

So what do people think about this issue? Let's say you get a piece of
email that's signed only by a third-party signature that validated. Do
you treat it differently? What if it had both?

Let's say you could get a score for a domain name found in a signature,
and it had two signatures with different scores. Which one "wins"?

There is currently a mechanism by which the owner of the From: domain can
say, "If you get mail that claims to be From: us but doesn't contain a
valid signature from us, throw it away." There is not currently a way to
extend that to say "Signatures from alternate domains D1, D2, ..., Dn are
also OK." Does anyone think that would be useful? Would you use it if it
existed?

A lot of the work of the working group is currently stalled. There are
lots of theories about the way things should work or what terrible things
will happen if we do or don't do something. What we need is both fresh
opinions from people not already mired down in the work that actually use
the stuff (i.e., most of you!), and some actual data to back up those
claims (which is a huge reason for all the OpenDKIM statistics work
lately). That's leading me to wonder if we shouldn't conduct some
experiments in this area, based on your feedback, so we can go back to the
working group and say "Well, we tried it, and here's what we saw."

Your thoughts and opinions are welcome.

-MSK
Received on Wed Sep 15 2010 - 04:05:22 PST