[dmarc-discuss] Original Authentication Results

[Murray S. Kucherawy]

Hello DMARC community,

One of the adjunct proposals that DMARC might make use of is the concept of transitive trust.  The general idea is as follows:


-          A sends mail to B; A applies a DKIM signature or has an SPF record that attests to the sender's responsibility for the message

-          B conducts DKIM or SPF validation of A's message

-          B now alters the message in some way

-          B re-mails the message to C, such as in a mailing list scenario

For SPF, the relay nature of this arrangement virtually guarantees that C's evaluation will fail.  For DKIM, the alteration B makes invalidates the signature.  In either case, C will get a double-fail.

In the case where C explicitly trusts B, B could make some kind of annotation to the message that indicates "When I got this message, DKIM and/or SPF passed.  You can, if you wish, believe me when I say so."  C could use this to lend credibility to the message and apply reputation even though it was not able to make a positive determination about the valid use of the evaluated domain name itself.

Although a specific application of Authentication-Results (RFC5451) could theoretically serve this purpose, the deployed base might find doing so difficult (or perhaps more importantly, easy to get wrong).  Specific semantics have to be applied for that to work.  The DMARC development team therefore is advancing an adjunct proposal that can be found here: https://datatracker.ietf.org/doc/draft-kucherawy-original-authres/

Reviews and comments of that document would be welcome.

Thanks,
-MSK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://medusa.blackops.org/pipermail/dmarc-discuss/attachments/20120229/3482a3b6/attachment.htm>