|
|
Log in / Subscribe / Register

DKIM shortcomings

DKIM shortcomings

Posted Jun 22, 2006 11:03 UTC (Thu) by dd9jn (✭ supporter ✭, #4459)
Parent article: Domain Keys for email sender authentication

DKIM is in principle the right solution. Signing the entire mail and not just the headers or some of them allows to actually check for good or bad content.

The problem is that they try to invent the wheel from scratch. Instead of using established and well matured digital signing protocols like S/MIME or OpenPGP they came up with an entire new protocol. This DKIM protocol needs to go a long way until it will be useful and can't be abused.

For example, their canonicalization rules are very complicated. As they stand now, they allow to modify the mail by injecting new content and changing the existing MIME content invisible. It will be easy for spammers to take existing valid signed DKIM messages as template, insert their cruft and resend them to the world. Verification according to DKIM rules will show a valid and authentic message :-(.

FWIW, with gpg1.4.3 we are experimenting with a system called PKA which does exactly the same as DKIM but uses OpenPGP and may also be used for S/MIME.

to post comments

DKIM shortcomings

Posted Jun 23, 2006 21:35 UTC (Fri) by pimlott (guest, #1535) [Link]

Your message is right on--if Domain Keys were simply a key management mechanism and not a new message format, we'd be a lot closer to practical email authentication. Good luck with PKA.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds