DKIM Overview - PowerPoint PPT Presentation

About This Presentation
Title:

DKIM Overview

Description:

No client User Agent upgrades required. Minimal changes for (na ve) end users ... Extensive per-user keys in DNS may hurt DNS. Should extend query mechanisms ... – PowerPoint PPT presentation

Number of Views:139
Avg rating:3.0/5.0
Slides: 7
Provided by: Erica106
Learn more at: https://dkim.org
Category:

less

Transcript and Presenter's Notes

Title: DKIM Overview


1
DKIM Overview
  • MASS BOF
  • IETF63, Paris
  • 4 August 2005
  • ietf-mailsig_at_imc.org

2
DKIM Goals
  • Low-cost (avoid large PKI, new Internet services)
  • No trusted third parties required
  • No client User Agent upgrades required
  • Minimal changes for (naïve) end users
  • Validate message itself (not just path)
  • Allow sender delegation (e.g., outsourcing)
  • Extensible (key service, hash, public key)
  • Structure usable for per-user signing

3
Technical Overview
  • Signs body and selected header fields
  • Signature transmitted in DKIM-Signature header
    field
  • DKIM-Signature is self-signed
  • Signature includes the signing identity (not
    inherently tied to From, Sender, or even
    header)
  • Initially, public key stored in DNS (new RR type,
    fall back to TXT) in _domainkey subdomain
  • Namespace divided using selectors, allowing
    multiple keys for aging, delegation, etc.
  • Sender Signing Policy lookup for unsigned,
    improperly signed, or third-party signed mail

4
DKIM-Signature header
  • Example
  • DNS query will be made to

DKIM-Signature arsa-sha1 qdns dexample.com
iuser_at_eng.example.com sjun2005.eng
cnowsp t1117574938 x1118006938 hfromtos
ubjectdate bdzdVyOfAKCdLXdJOc9G2q8LoXSlEniSb
avyuU4zGeeruD00lszZVoG4ZHRNiYzR
jun2005.eng._domainkey.example.com
5
Controversial Points
  • Not using S/MIME, OpenPGP, PEM,
  • Different goals, not intended to displace
  • Use of i g
  • Not redundant, e.g., gmarketing-
  • Body length counts (l)
  • Extensive per-user keys in DNS may hurt DNS
  • Should extend query mechanisms for this
  • Replay attacks
  • Not a bug (same as S/MIME or OpenPGP)
  • Canonicalization algorithms

6
Further Work Needed
  • Resolve bullets from previous slide
  • New DNS RRs undefined
  • Sender Signing Policy document needs work
  • Notably binding of signature to header fields
  • Threats document
  • Discussed in Security Considerations separate
    document in process
Write a Comment
User Comments (0)
About PowerShow.com