DKIM and email address proof-of-control

Lachlan Gunn lachlan at twopif.net
Mon Aug 1 07:31:15 CEST 2016


Hello,

Has anyone had a go at using DKIM signatures as a way of verifying
control of an email address with GPG?

I've seen a few mentions of the idea online, particularly here:


https://security.stackexchange.com/questions/107417/pgp-key-signing-robot-dkim-verified-emails/
    https://github.com/keybase/keybase-issues/issues/373

I'm thinking of building a robot-CA-type arrangement that includes
either a DKIM signature or a link to one in a signature notation.  By
including the fingerprint in such a way that the canonicalisation
doesn't allow it to be hidden from the user, it would allow us to use
existing infrastructure to demonstrate that the mail provider allows a
user to send mail from an address, without individual users having to
request the key in the first instance in order to use TOFU.

The idea wouldn't be to replace the web of trust or long-term TOFU, but
to provide a service like PGP Global Directory that doesn't have a
central point of failure.

Some of the problems that I can see:

1. Is the assumption valid that (absent server or endpoint compromise)
only a user authorised by the provider can get a DKIM signature on mail
with a From address from that provider?  We need to be careful to avoid
allowing people to get a signature in the name of a mailing list, for
example.  This may be possible to solve via whitelisting.

2. Is there anything that can get lost in the canonicalisation?  For
example, a mailto: link might provide an apparently-blank message with a
fingerprint at the bottom after a screenfull of newlines.  My
experiments with Gmail and Thunderbird suggest that this cannot be
easily done with the subject line, making that the best place to put the
fingerprint.

3. How do you protect against attacks involving reply-to?  Is the lack
of a Re: in the subject line sufficiently convincing?

4. Given that DNSSec isn't universal, can we do better than trusting DNS
results for the public key queries without just shifting the single
point of failure somewhere else?

5. This only validates the email address, not the name.  I'm not aware
of any way to signal this without a custom notation, though I would be
most pleased to hear otherwise.

If there is a catastrophic flaw in the idea, then any feedback would be
very much appreciated.

Thanks,
Lachlan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160801/cefd02c5/attachment.sig>


More information about the Gnupg-users mailing list