Presentation is loading. Please wait.

Presentation is loading. Please wait.

MASS BOF IETF63, Paris 4 August 2005

Published byConstance Singleton Modified over 5 years ago

Similar presentations

Presentation on theme: "MASS BOF IETF63, Paris 4 August 2005"— Presentation transcript:

1 MASS BOF IETF63, Paris 4 August 2005 ietf-mailsig@imc.org
DKIM Overview MASS BOF IETF63, Paris 4 August 2005

2 DKIM Goals Low-cost (avoid large PKI, new Internet services)
No trusted third parties required No client User Agent upgrades required Minimal changes for (naïve) end users Validate message itself (not just path) Allow sender delegation (e.g., outsourcing) Extensible (key service, hash, public key) Structure usable for per-user signing

3 Technical Overview Signs body and selected header fields
Signature transmitted in DKIM-Signature header field DKIM-Signature is self-signed Signature includes the signing identity (not inherently tied to From:, Sender:, or even header) Initially, public key stored in DNS (new RR type, fall back to TXT) in _domainkey subdomain Namespace divided using selectors, allowing multiple keys for aging, delegation, etc. Sender Signing Policy lookup for unsigned, improperly signed, or third-party signed mail

4 DKIM-Signature header
Example: DNS query will be made to: DKIM-Signature: a=rsa-sha1; q=dns; d=example.com; s=jun2005.eng; c=nowsp; t= ; x= ; h=from:to:subject:date; b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSb av+yuU4zGeeruD00lszZVoG4ZHRNiYzR • a= Hash/signing algorithm • q= Algorithm for getting public key • d= Signing domain • i= Signing identity • s= Selector • c= Canonicalization algorithm • t= Signing time (seconds since 1/1/1970) • x= Expiration time • h= List of headers included in signature; dkim-signature is implied • b= The signature itself jun2005.eng._domainkey.example.com

5 Controversial Points Not using S/MIME, OpenPGP, PEM, … Use of i= & g=
Different goals, not intended to displace Use of i= & g= Not redundant, e.g., g=marketing-* Body length counts (l=) Extensive per-user keys in DNS may hurt DNS Should extend query mechanisms for this “Replay attacks” Not a bug (same as S/MIME or OpenPGP) Canonicalization algorithms

6 Further Work Needed Resolve bullets from previous slide
New DNS RRs undefined Sender Signing Policy document needs work Notably binding of signature to header fields Threats document Discussed in Security Considerations; separate document in process

Download ppt "MASS BOF IETF63, Paris 4 August 2005"

Similar presentations

Public Key Infrastructure and Applications

Public Key Infrastructure and Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,

 A public-key infrastructure ( PKI ) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store,
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
DKIM WG IETF-67 DKIM Originating Signing Policy Douglas Otis

DKIM WG IETF-67 DKIM Originating Signing Policy Douglas Otis
DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc.

DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Application of Attribute Certificates in S/MIME Greg Colla & Michael Zolotarev Baltimore Technologies 47 th IETF Conference Adelaide, March 2000.

Application of Attribute Certificates in S/MIME Greg Colla & Michael Zolotarev Baltimore Technologies 47 th IETF Conference Adelaide, March 2000.
DomainKeys Identified Mail (DKIM) D. Crocker ~ bbiw.net dkim.org  Consortium spec Derived from Yahoo DomainKeys and Cisco Identified Internet Mail  IETF.

DomainKeys Identified Mail (DKIM) D. Crocker ~ bbiw.net dkim.org  Consortium spec Derived from Yahoo DomainKeys and Cisco Identified Internet Mail  IETF.
DomainKeys Identified Mail (DKIM) D. Crocker Brandenburg InternetWorking mipassoc.org/mass  Derived from Yahoo DomainKeys and Cisco.

DomainKeys Identified Mail (DKIM) D. Crocker Brandenburg InternetWorking mipassoc.org/mass  Derived from Yahoo DomainKeys and Cisco.
SMUCSE 5349/49 Email Security. SMUCSE 5349/7349 Threats Threats to the security of e-mail itself –Loss of confidentiality E-mails are sent in clear over.

SMUCSE 5349/49 Security. SMUCSE 5349/7349 Threats Threats to the security of itself –Loss of confidentiality s are sent in clear over.
Pilot project proposal: AffiL Affiliated domain names for trust Dave Crocker Brandenburg InternetWorking bbiw.net

Pilot project proposal: AffiL Affiliated domain names for trust Dave Crocker Brandenburg InternetWorking bbiw.net
Identity Based Email Sender Authentication for Spam Mitigation Sufian Hameed (FAST-NUCES) Tobias Kloht (University of Goetingen) Xiaoming Fu (University.

Identity Based Sender Authentication for Spam Mitigation Sufian Hameed (FAST-NUCES) Tobias Kloht (University of Goetingen) Xiaoming Fu (University.
Masud Hasan 03-60-475 SecueEmail VS Hushmail Project 2.

Masud Hasan Secue VS Hushmail Project 2.
DKIM Reporting Murray S. Kucherawy. The Problems to Solve Senders want to know when their brands are being violated –Mail being forged as coming from.

DKIM Reporting Murray S. Kucherawy. The Problems to Solve Senders want to know when their brands are being violated –Mail being forged as coming from.
A Trust Overlay for Email Operations: DKIM and Beyond Dave Crocker Brandenburg Internet Working bbiw.net Apricot / Perth 2006 Dave Crocker Brandenburg.

A Trust Overlay for Operations: DKIM and Beyond Dave Crocker Brandenburg Internet Working bbiw.net Apricot / Perth 2006 Dave Crocker Brandenburg.
Advanced Mail. Greylisting mail/postgrey /usr/local/etc/postfix/postgrey_whitelist_clients /usr/local/etc/postfix/postgrey_whitelist_recipients.

Advanced Mail. Greylisting mail/postgrey /usr/local/etc/postfix/postgrey_whitelist_clients /usr/local/etc/postfix/postgrey_whitelist_recipients.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Similar presentations

Ads by Google