Re: [apps-discuss] The authentication server id, was rfc5451bis

"Murray S. Kucherawy" <> Fri, 29 March 2013 19:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 96EC821F8E94 for <>; Fri, 29 Mar 2013 12:25:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.132
X-Spam-Status: No, score=-2.132 tagged_above=-999 required=5 tests=[AWL=-0.133, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_66=0.6, NO_RELAYS=-0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9MuYG4kxtOPY for <>; Fri, 29 Mar 2013 12:25:48 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c03::231]) by (Postfix) with ESMTP id 6A5AF21F8E87 for <>; Fri, 29 Mar 2013 12:25:48 -0700 (PDT)
Received: by with SMTP id o45so538180wer.36 for <>; Fri, 29 Mar 2013 12:25:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=Mj/RpdjS0gTNEY2cJVuofM/hqR/fVDK3yxdH4sIrqiA=; b=zf31Z2RS+E8ASrhEvO89KdmWmijSgY7ROUnMnEMNK8xk4l/CTomUh5aZ5FCx7cn53f TUe1iBoZ9p+s44EV7OU23VndW1iFu69ik1BBTCYGCkHGbA1AMbDIvng4MJyFY0teZdE8 EnmEMyq4xvOvfS6/uDEtv1oMgWvMIR2nc2j6VRs2NmrOGg6N/fpylWkEBuHHqpmyWu3H 2wDcWbQI6r0LpUURgK1vPn0Imcv61o46nSyoIb3oe6QeRQcMhsB0L7x7iVAMyIXG0ka2 tS7lEByRlaq+fpNrwZkZ4fztBfkkD+si4/68hi38VHLirtfsQQ9RXE0PhFm2PPnk4/4W sQTg==
MIME-Version: 1.0
X-Received: by with SMTP id pi2mr5162414wjb.51.1364585147517; Fri, 29 Mar 2013 12:25:47 -0700 (PDT)
Received: by with HTTP; Fri, 29 Mar 2013 12:25:47 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
Date: Fri, 29 Mar 2013 20:25:47 +0100
Message-ID: <>
From: "Murray S. Kucherawy" <>
To: Alessandro Vesely <>
Content-Type: multipart/alternative; boundary="089e01228fbefbcfeb04d9153cfa"
Cc: IETF Apps Discuss <>
Subject: Re: [apps-discuss] The authentication server id, was rfc5451bis
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 29 Mar 2013 19:25:49 -0000

On Fri, Mar 29, 2013 at 11:33 AM, Alessandro Vesely <> wrote:

> >> then, a parser designed after 5451bis has to _guess_ that the one it
> >> knows is indeed "1".
> >
> > Why?  This hasn't changed in the -bis document either.
> In RFC 5451 it was indicated as a comment to the "version" production
> rule, as in the current draft.  That might be slightly inappropriate
> since that rule works also for the methods, which have their own
> versions.  Since -bis has a section on version tokens, readers may
> expect to find that statement there.

The version production is 1*DIGIT.  That's not a comment.

> BTW, would sender-id have had "2.0" there?


> >>> I don't think this document (old or new) goes to great lengths
> >>> to establish transitive trust mechanisms, and shouldn't unless
> >>> there are implementations that do so.
> >>
> >> I agree that it shouldn't:  Section 1.2 is clear about being agnostic
> >> on the trust boundary.  However, if the local definition of "trust
> >> boundary" is such that a producer doesn't know the whole trust-list,
> >> then the MUST in the first paragraph of Section 5 is not actionable.
> >
> > Why would the producer need to know more than one entry in the list?
> That's usual.  Doesn't opendkim take a list of identities and compare
> each A-R against it?

Yes, when operating as a consumer of the field (for the purpose of
identifying the ones that need to be deleted), not a producer of it.

>  If it doesn't have the whole list --and admins
> may worry about allowing write access to their remardb to any possible
> downstream consumer-- then there's nothing it can do about it.

It doesn't need the whole list when acting as a producer.  It needs one

> As John said, the point of the authserv-id is to allow a system to
> recognize its own A-R headers.  The "its own" part is what limits free
> extensibility of the trust boundary.

Consumers get to have a set that they consider "their own".  Producers can
only insert one string there, obviously.

> >> Renaming by prefix insertion allows recovery at very small risk, with
> >> very simple code:
> >>
> >>   dkim_header(dkim, start + dkim_unrename,
> >>      eol - start - dkim_unrename);
> >>
> >> where dkim_unrename is either 0 or the length of the prefix inserted
> >> by the upstream agent.  Note that the code above doesn't know whether
> >> the field is actually signed or not.
> >
> > You're doing this at the wrong layer.  This change would cause the DKIM
> > validation code to see something different.
> Different from what the rest of the system sees, but hopefully not
> different from what the signer signed.

Of course it is.  What you're feeding to dkim_header(), by changing it,
will invalidate the signature, if that field was signed.

> > You need to send the instruction in the other direction, which makes
> > it more complicated.
> What do you mean?  I cannot tell the sender that I don't trust it, so
> it should stop cluttering messages with its A-Rs.  An A-R for the auth
> method, for example, can only be written there.
> OTOH, it is possible to recognize that a sender/signer is trusted and
> unrename its A-Rs after verification too, when changes are committed
> to disk.  I'm not going to code such complication, for the time being.

I'm totally confused by what you're getting at here.

dkim_header() tells the DKIM layer what it's signing or verifying.  Why you
would want to change that is beyond me.  What you're trying to do is alter
the name of the field so consumers won't see it.  dkim_header() is
absolutely the wrong way to do that.  Rather, you need to tell the MTA to
do the rename operation, which might actually be a delete+insert
operation.  DKIM has absolutely nothing to do with that.