IETF Logo Mail Archive

Re: [ietf-822] A permission to re-sign header

Pete Resnick <presnick@qti.qualcomm.com> Fri, 18 April 2014 18:32 UTC

Return-Path: <presnick@qti.qualcomm.com>
X-Original-To: ietf-822@ietfa.amsl.com
Delivered-To: ietf-822@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA1E61A0220 for <ietf-822@ietfa.amsl.com>; Fri, 18 Apr 2014 11:32:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.573
X-Spam-Level:
X-Spam-Status: No, score=-4.573 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id beFhCMmIAri0 for <ietf-822@ietfa.amsl.com>; Fri, 18 Apr 2014 11:32:14 -0700 (PDT)
Received: from wolverine02.qualcomm.com (wolverine02.qualcomm.com [199.106.114.251]) by ietfa.amsl.com (Postfix) with ESMTP id E17921A02D4 for <ietf-822@ietf.org>; Fri, 18 Apr 2014 11:32:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qti.qualcomm.com; i=@qti.qualcomm.com; q=dns/txt; s=qcdkim; t=1397845930; x=1429381930; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=VRW+QxdWfobH6PQQ4braKUAu+qb0hhhrfdGrttJNdwY=; b=brL2s9VQp4I7n4CA1FpQpC9fsXybW9Z85VrMkQFRr3UToroZyBQj9woB x7Rj1dL5Olgm1eHVk1IM3L78/kJy6JJqIKCR2/QIQZNUFbPeh+ITut8fS SWVAWsFgWBYQbYgjPGAsqxRHHfHSZlo/so1H2oMiq1zYk7mJVUTvNEQIA Q=;
X-IronPort-AV: E=McAfee;i="5400,1158,7412"; a="120813883"
Received: from ironmsg02-lv.qualcomm.com ([10.47.202.183]) by wolverine02.qualcomm.com with ESMTP; 18 Apr 2014 11:32:09 -0700
X-IronPort-AV: E=Sophos;i="4.97,885,1389772800"; d="scan'208";a="29474776"
Received: from nasanexhc08.na.qualcomm.com ([172.30.39.7]) by ironmsg02-lv.qualcomm.com with ESMTP/TLS/RC4-SHA; 18 Apr 2014 11:32:09 -0700
Received: from resnick2.qualcomm.com (172.30.39.5) by qcmail1.qualcomm.com (172.30.39.7) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 18 Apr 2014 11:32:08 -0700
Message-ID: <53516FA7.3020507@qti.qualcomm.com>
Date: Fri, 18 Apr 2014 13:32:07 -0500
From: Pete Resnick <presnick@qti.qualcomm.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.7; en-US; rv:1.9.1.9) Gecko/20100630 Eudora/3.0.4
MIME-Version: 1.0
To: John Levine <johnl@taugh.com>
References: <20140418021925.2979.qmail@joyce.lan>
In-Reply-To: <20140418021925.2979.qmail@joyce.lan>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [172.30.39.5]
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf-822/OuABS9FKVAiElfS0sboYRQO4C_s
Cc: ietf-822@ietf.org
Subject: Re: [ietf-822] A permission to re-sign header
X-BeenThere: ietf-822@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of issues related to Internet Message Format \[RFC 822, RFC 2822, RFC 5322\]" <ietf-822.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-822>, <mailto:ietf-822-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-822/>
List-Post: <mailto:ietf-822@ietf.org>
List-Help: <mailto:ietf-822-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-822>, <mailto:ietf-822-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Apr 2014 18:32:18 -0000

First of all, "permission to re-sign" seems to me to be the wrong 
semantics. This is simply "originally sent from here to there". The 
originating site (example.com) wants to say, "This message came from 
example.com and got sent to somebody@foo.example.net", in a way that 
someone who receives a message from foo.example.net can check.

On 4/17/14 9:19 PM, John Levine wrote:
> As I understand it, the original sender puts a hard to forge single
> use token in the message, which the forwarder can include in the
> signed message.
>    

It could be hard to forge, or it could be hard for anyone else to read 
(e.g., the token could be encrypted to the forwarder and rewritten 
usefully by the forwarder). That is, what the list gets from the 
originator does not need to be exactly what the list sends to the 
eventual recipients. But either might be a reasonable approach.

> IF there is a M-R header with f= that matches the From: line address,
>
> AND the M-R header is included in a DKIM signature that is signed with
> d= that matches the M-R r=
>
> AND the M-R signature validates using the s= selector and f= domain
>
> AND the t= isn't too old (for some meaning of too old)
>
> THEN the message is considered to be aligned.
>
> Is that the general idea?
>    

Yep.

pr

-- 
Pete Resnick<http://www.qualcomm.com/~presnick/>
Qualcomm Technologies, Inc. - +1 (858)651-4478

v2.23.0 | Report a Bug | By Email