Re: [Ietf-dkim] X-Google-DKIM-Signature header field
Brandon Long <blong@google.com> Tue, 03 September 2019 23:38 UTC
Return-Path: <blong@google.com>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA9E71208F0 for <ietf-dkim@ietfa.amsl.com>; Tue, 3 Sep 2019 16:38:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.499
X-Spam-Level:
X-Spam-Status: No, score=-17.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i9AyxT1fuzVZ for <ietf-dkim@ietfa.amsl.com>; Tue, 3 Sep 2019 16:37:59 -0700 (PDT)
Received: from mail-vk1-xa35.google.com (mail-vk1-xa35.google.com [IPv6:2607:f8b0:4864:20::a35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BE131208F1 for <ietf-dkim@ietf.org>; Tue, 3 Sep 2019 16:37:59 -0700 (PDT)
Received: by mail-vk1-xa35.google.com with SMTP id b204so3974138vka.7 for <ietf-dkim@ietf.org>; Tue, 03 Sep 2019 16:37:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ho05YM7ziiyj+4ZOZqskjB1P5uPrKQZwJnUdIYTftQg=; b=J4hx5U6NRzw5HJt7XSlv6OM7/0mtNmaQonBhMTeKKsqU5uhSlZ8/0RqtdnIriTb68r BC1a0/0AuxnUtpMJbY2ynBmyVOh749HMCzCiAWKwGN5YxVicGOsecpdpG9iSH3QTW8Op OoRM/63tAuCGLNBOeng0shrZJsTgs2PbXrn/ORzfwjrCc/CNS/7ij3YfIpEMrwuYXh6v xE/haJx6DUKoBPPtEJW8EmC+/zohMXclgv7mZ0h6iCc07V+CMlXGivHEUsA9BSA0MTSp 2DreRiVx2lrEAfkjdegTLNEB03vz1bDaibqLGImSB+Fup/mrS9gjPUKnVkuP0Hu/PDoR tSOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ho05YM7ziiyj+4ZOZqskjB1P5uPrKQZwJnUdIYTftQg=; b=bu7o4AKiUEehSZDA5SLQHy+uXTMmyNnzB3DxoVA6kZ92gwjlao26M8vX5MIVPyjKDg DPwL5057KbyYbxuzlbsLNJeuF9sbTujdxYh0s4z/Xs0SCcGEosbj+CLtHJzvCEzDgGCU eX7jAdkg2uR3EmqCCwhU29QZ3riYcpaCI5VFaT3ED3Xuwx30mmmPldINy5V0YlewzTqr GU26g8T8cWfA0sf5UWs6ymOvGmmwnLY5tKtwflP/05mL3U3R71IRilF1VPDFKO46ZMr8 LN6XW9y5sV+7j0j/SrypjiW8GpR2MzLk7XQjNgEvIBRmD9XQEernj9cW8KQh/KuCRTeY Ml4g==
X-Gm-Message-State: APjAAAUKjtRzeNQepCb3UsHj1X052NeJ7eA2ot85LD2s+4aLnxBsB+VD 3V4Mpvcr69sTUqZ5B/HHUxmXsyJup4oda4D1wx2QjEU=
X-Google-Smtp-Source: APXvYqy2Eo91q1kUyYbxQV7n3wLofuoiUQ7tMGCqYj878RXs768X9puDda8XDSJpHAgZaYFE3n1WBggU8eL6G5t20z0=
X-Received: by 2002:a1f:1486:: with SMTP id 128mr18533278vku.40.1567553877230; Tue, 03 Sep 2019 16:37:57 -0700 (PDT)
MIME-Version: 1.0
References: <5af77d0d-a2b9-d9c3-44bf-39da200fb768@bluepopcorn.net>
In-Reply-To: <5af77d0d-a2b9-d9c3-44bf-39da200fb768@bluepopcorn.net>
From: Brandon Long <blong@google.com>
Date: Tue, 03 Sep 2019 16:37:46 -0700
Message-ID: <CABa8R6s5z3H2rUd=Yy7=L8dH=q3Ts-R46KYCeTYciY3WmZcz7w@mail.gmail.com>
To: Jim Fenton <fenton@bluepopcorn.net>
Cc: ietf-dkim@ietf.org
Content-Type: multipart/alternative; boundary="0000000000000544300591ae9434"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/AKrZ1KtVJXrjOkvUrgrJviMqVOI>
Subject: Re: [Ietf-dkim] X-Google-DKIM-Signature header field
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2019 23:38:14 -0000
The purpose of the XGDS signature is so that we can assert that it came from us, and is used as validation on some of the other fields that we add and that are signed by that field and that the contents of the message haven't changed. One could probably figure out how to verify it since it re-used the standard dkim libraries. We don't want to take "ownership" of the message in the reputation sense, hence the reason it's not a regular DKIM signature, nor do we want to deal with any pushback from mail admins because some random places they mail on the internet refuse messages when DKIM signatures are broken (in contravention of the spec, yes). It's also not google.com or any other domain ever used for sending mail so that any reputation or anything else people figure on this isn't applied inappropriately. Ie, it's not uncommon for various providers to add a chunk of usually base64 encoded data to headers these days, this signature is there for our chunk when we require it to only apply to uncorrupted original messages. Well, we probably wouldn't care for "normal" modifications, but it was added pre-ARC and the loss of usage for cases where messages are harmlessly modified is fine. In fact, one of the use cases is for the X-Original-Authentication-Results (XOAR) header which was a precursor to ARC, a kind of one-hop ARC. Brandon On Tue, Aug 27, 2019 at 2:55 PM Jim Fenton <fenton@bluepopcorn.net> wrote: > [resending because I needed to correct subscription address. Apologies > for duplicate if the moderator approves the original.] > > I recently got a "welcome" message from a list.nist.gov mailing list > that is apparently hosted on Google infrastructure. I notice it wasn't > DKIM signed, but did have a X-Google-DKIM-Signature header field that > looked like a normal DKIM signature with d=1e100.net (one of Google's > many domains). Apparently Google doesn't intend that I rely on this > signature for anything, but does anyone know why they aren't applying a > normal DKIM signature from 1e100.net here? > > -Jim > > > _______________________________________________ > Ietf-dkim mailing list > Ietf-dkim@ietf.org > https://www.ietf.org/mailman/listinfo/ietf-dkim >
- [Ietf-dkim] X-Google-DKIM-Signature header field Jim Fenton
- Re: [Ietf-dkim] X-Google-DKIM-Signature header fi… Brandon Long