[ietf-dkim] A more fundamental SSP axiom
dotis at mail-abuse.org
Sat Aug 5 15:23:35 PDT 2006
On Sat, 2006-08-05 at 14:54 -0400, Hector Santos wrote:
> From: "Douglas Otis" <dotis at mail-abuse.org>
> > The default assumption of a listed domain in the policy would be to
> > assume "I sign all". This could even be called the "I sign all" list.
> > The only embellishment needed would be the "Only". The default policy
> > when none is found would be an empty list with the assumed "I sign all"
> > assertion.
> In terms of the DSAP draft syntax:
> OP=ALWAYS; 3P=NEVER; # Only "I" sign mail
> OP=ALWAYS; 3P=ALWAYS; # "I" sign mail
> 3PL=; # defined, but empty list;
> In terms of the SSP draft syntax:
> o=! # All mail from the entity is signed; Third-Party signatures
> # SHOULD NOT be accepted
> But the SSP I-D stills has the "semantics" argument of what is meant by
> "Third-Party signatures SHOULD NOT be accepted." I took this to mean 100%
> exclusivity. Apparently that is not what it means. Hence one of the reasons
> for a "Fill in the holes" DSAP I-D proposal
A major benefit regarding a DKIM From policy is in facilitating
relationships between different From and signing domains. Other methods
involve greater coordination between DNS and email providers. Zone
delegation or selector/key arrangements are not easily achieved with a
simple "fill in the blank" style questionnaire. Zone delegation or
key/selector arrangements likely require an arrangement of trust beyond
the immediate customer to achieve the needed transaction. This
additional element of trust will likely act as a barrier to greater use.
Imagine that an organization certifies DKIM signing domains as doing the
"Right Thing". The "Right Thing" might be using authenticated SSL 587
port submissions, where the From address has been vetted in some
fashion. This vetting might be acknowledgments of receipt as commonly
used for mail-lists, or anything deemed trustworthy by the
In the event that this mode of delegation "by way of policy" becomes
popular, an assertion that Foo signs for Bar may be fairly common. Your
terminology attempts to make assertions specifically related to the From
domain separately from that of other listed domains. This fails to make
a clear distinction for a listed domain. With your terminology, the
listed domain is easily confused as being some undefined signer, which
is not right. It seems safer to include the From domain _and_ the other
listed domains into just one category of Designated Signing Domains.
Any domain listed in the DKIM From policy would be a Designated Signing
Domain. Apply _any_ assertion to this entire DSD category.
The default assertion for _any_ listed domain is "Always Signs".
There Foo indicates they always sign.
It would confusing to use a 3PL entry to indicate no other signature
unfriendly services are being used that might perhaps originate a
message using the From domain. Here a flag, perhaps at the end of the
list, could make this stipulation. Call this the Only, Exclusive,
Closed-ended, or Complete-List flag. To illustrate, this flag is "." or
The "Only" Flag stipulates that no other services are used. Further
examination of possible e-invites or mailing lists are require or
desired, as they are not used. This policy would be something like:
"DKIM-FP: Foo, ."
Sends no mail would be:
May or may not sign would be:
Both Foo and Bar sign (for Bar) would be:
DKIM-FP: Foo, Bar"
More information about the ietf-dkim