[ietf-dkim] Delegating responsibility: a make vs. buy design decision

Tue Aug 22 16:43:54 PDT 2006

On Aug 22, 2006, at 3:59 PM, Jim Fenton wrote:

> Scott Kitterman wrote:
>>
>> We had been discussing the need to segregated authenticated  
>> traffic (where authorization to use the 2822.From has been  
>> established) from other traffic being signed by use of a  
>> subdomain.  This is to avoid issues like your mailing list  
>> concern.  The authorized signing domain would be the subdomain  
>> that the operator has designated for the purpose.
>
> Sorry, having trouble keeping the context of the discussion right.
>
> This could be done, but dilutes the simplicity argument that  
> motivated the Authorized Signing Domains approach in the first  
> place.  Formerly the ISP just signed using their own domain name;  
> now they must create a subdomain for each of their customers,  
> publish keys there, and sign each using the proper subdomain?  Or  
> do they sign using i=@cust49.isp.com and d=isp.com perhaps?

An ISP might use subdomains to isolate different _categories_ of  
sources as denoted by the d= parameter.  One such use might be for  
sources where the 2822.From domains are _not_ validated.

Validated 2822.From domains could use:
   dkim-signature: d=isp.com ...
   From: some-validated at from-domain

The email-lists might could use:
   dkim-signature: d=lists.isp.com
   From: some-non-validated at from-domain

> But there is a residual problem.  Suppose jdoe at mipassoc.org is a  
> subscriber to this list and someone spoofs a message from  
> jdoe at mipassoc.org to the list. ietf-dkim at mipassoc.org accepts the  
> message and sends it to isp.com, their Authorized Signing Domain,  
> and it is signed and sent.

For the ISP to assure the 2822.From, would need to base their  
signatures and identity assertions upon this account authentication.   
The ISP should have an account specific for the mailing list.  The  
account should determine what domains are used to sign the message  
and what assertions are applied.  If the intent is have the base  
ISP.com domain represent only validated 2822.From addresses, then a  
different signing domain would be needed for use by mailing-lists.   
In this case, perhaps all mailing-lists are signed with the  
lists.isp.com domain.

> Is the signature from jdoe (the author) or ietf-dkim (the mailing  
> list)?

Account authentication must make the determination. If the message is  
being relayed without direct authentication, then perhaps a subdomain  
for this use might be relay.isp.com.

> Without Authorized Signing Domains, you could tell by looking at  
> the local-part of i=.  But now you can't.  I think this is an  
> important distinction, even if it only applies in a subset of use  
> cases.

This is an important point and why the 2822.From policy may need to  
make this 2822.From validity assertion explicit.

-Doug