[ietf-822] A permission to re-sign header

"John Levine" <johnl@taugh.com> Fri, 18 April 2014 02:19 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: ietf-822@ietfa.amsl.com
Delivered-To: ietf-822@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 2521C1A00BE for <ietf-822@ietfa.amsl.com>; Thu, 17 Apr 2014 19:19:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.357
X-Spam-Status: No, score=-0.357 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id qzqpIAQ6laIG for <ietf-822@ietfa.amsl.com>; Thu, 17 Apr 2014 19:19:52 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) by ietfa.amsl.com (Postfix) with ESMTP id 232081A00B4 for <ietf-822@ietf.org>; Thu, 17 Apr 2014 19:19:52 -0700 (PDT)
Received: (qmail 27653 invoked from network); 18 Apr 2014 02:19:48 -0000
Received: from miucha.iecc.com ( by mail1.iecc.com with QMQP; 18 Apr 2014 02:19:48 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:mime-version:content-type:content-transfer-encoding; s=ba4.53508bc3.k1404; i=johnl@user.iecc.com; bh=Xmf4/5Sw3NcYfsw9c+ZYR3lVoTBj3reeYC+lW0bKRTY=; b=Crk0pQccVJPmDMJnrCWweawYgUQNMQSDXM6o8bF+g14MqRaum+oJyZgdKzTz11fHRo7g+zWsZhF7SvmpRho7J8B0kXfYQBqHgmYO67y3dn4sntBWZZ+Y1zsHx3G9dtuIylz3B7LeWaWYvFKcnaGgy7ngkg5KIlBxhih0jZkN5Zy9N5VyimIfzD3U5rQV3twrvNP0jwdzMbg7Atm9nE/HQ6ju+QAVM/iIPcP3ZuerixAtNdQSz8F5+aGikrMC4Yj/
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:mime-version:content-type:content-transfer-encoding; s=ba4.53508bc3.k1404; olt=johnl@user.iecc.com; bh=Xmf4/5Sw3NcYfsw9c+ZYR3lVoTBj3reeYC+lW0bKRTY=; b=G5JMNURi3KayzP0J+h1Otxyj4m19BoibbGRwY70ez6YKAOYufPBOosj4YleDAkk9O9Py1iNo3WLxLxEx2/szBcY7Gr/rjgbw9/3WNifLa4OY2oVs1ORikSa/h+MVsLkJxoI0a1y+RUR3IN8RL7Vz2Rd6YKqF9LxsrhjbAW/yfGGf8yAzUeQPk6zAZND+8UM1OS4k0YuoX4mx45oE8E6K1bJeFW0Bpr3sOcZ9LeY1qwEX7sC6V2ZZTvPJKU864wrH
Date: Fri, 18 Apr 2014 02:19:25 -0000
Message-ID: <20140418021925.2979.qmail@joyce.lan>
From: John Levine <johnl@taugh.com>
To: ietf-822@ietf.org
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf-822/OoqfUENZL8aSs6uylUUzlg5FxBw
Subject: [ietf-822] A permission to re-sign header
X-BeenThere: ietf-822@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of issues related to Internet Message Format \[RFC 822, RFC 2822, RFC 5322\]" <ietf-822.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-822>, <mailto:ietf-822-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-822/>
List-Post: <mailto:ietf-822@ietf.org>
List-Help: <mailto:ietf-822-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-822>, <mailto:ietf-822-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Apr 2014 02:19:56 -0000

As I understand it, the original sender puts a hard to forge single
use token in the message, which the forwarder can include in the
signed message.

Since I am lazy, I will reuse DKIM key records and invent a new
May-Resign header something like this:

May-Resign: f=marissam@yahoo.com; r=ietf.org; s=foo; a=rsa-sha256; \
   t=1397786669; b=hashhashhash

This is a permission to re-sign for a message From:
marissam@yahoo.com, to be re-signed by a mailing list at ietf.org. The
s= and a= and t= are the same as DKIM, the b= is a signature of a hash
of the M-R header, similar to the b= signature in a DKIM-Signature.

The relay includes the M-R header in the DKIM signature.  So now
we modify DMARC to say that

IF there is a M-R header with f= that matches the From: line address,

AND the M-R header is included in a DKIM signature that is signed with
d= that matches the M-R r=

AND the M-R signature validates using the s= selector and f= domain

AND the t= isn't too old (for some meaning of too old)

THEN the message is considered to be aligned.

Is that the general idea?

You could put an M-R header on anything, but if you want to limit it
to mail to addresses that claim to be mailing lists, you could use the
same name convention as the DANE S/MIME draft, with hashed mailboxes,

<hash of ietf-822>._mayresign.ietf.org TXT "v=MR1; d=ietf.org"

That says the ietf-822@ietf.org list is signed with d=ietf.org.  If a
domain contains only mailing lists, you can use a wildcard

*._mayresign.lists.iecc.com TXT "v=MR1; d=lists.iecc.com"