[exim-dev] [Bug 376] Support for DKIM

Top Page
Delete this message
Reply to this message
Author: Magnus Holmgren
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 376] Support for DKIM
------- You are receiving this mail because: -------
You are the QA contact for the bug.

http://bugs.exim.org/show_bug.cgi?id=376




--- Comment #5 from Magnus Holmgren <holmgren@???> 2007-08-17 19:09:07 ---
I add a copy of some thoughts I sent to both exim-users and exim-dev earlier:

In a message header there can be one Originator Signature and any number of
Third-party Signatures (but in practice never more than one or maybe two).
third-party signatures are good for two things (*if you trust the signer*, of
course): 1) They can certify that the originator signature (or the previous
signature, or both; I'm not sure) was valid when it got to them: "A
DKIM-aware Mailing List Manager MUST NOT re-sign an improperly signed message
in such a way that would imply that the existing signature is acceptable."
and 2) they can certify that the message was indeed sent by the purported
originator, even if there is no originator signature, e.g. if the identity
has been established through some other means (it doesn't say this in the SSP
I-D, but you can see that it's a workable use case; an example would be the
Exim Bugzilla, which sends out notices on behalf of the person who adds
comments or changes bug fields (the mail-in interface lacks authentication
though, so we should be careful there).

This means that there *can* be DKIM features that work similarly to the
existing DK features: Exim would need a list of trusted third-party signers;
dkim_sender_domains, dkim_sender_local_parts, and dkim_senders would then
succeed if there is a matching, valid originator signature *or* there is an
originator signature that is signed by a trusted third-party signer.
dkim_status and dkim_policy could also refer to the originator signature.

But users could still want to do things with messages that are simply signed
by certain signers, even if there is no originator signature, so there are
still many things to take into account.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email