[ietf-dkim] Delegating responsibility: a make vs. buy design
dotis at mail-abuse.org
Tue Aug 22 16:43:54 PDT 2006
On Aug 22, 2006, at 3:59 PM, Jim Fenton wrote:
> Scott Kitterman wrote:
>> We had been discussing the need to segregated authenticated
>> traffic (where authorization to use the 2822.From has been
>> established) from other traffic being signed by use of a
>> subdomain. This is to avoid issues like your mailing list
>> concern. The authorized signing domain would be the subdomain
>> that the operator has designated for the purpose.
> Sorry, having trouble keeping the context of the discussion right.
> This could be done, but dilutes the simplicity argument that
> motivated the Authorized Signing Domains approach in the first
> place. Formerly the ISP just signed using their own domain name;
> now they must create a subdomain for each of their customers,
> publish keys there, and sign each using the proper subdomain? Or
> do they sign using firstname.lastname@example.org and d=isp.com perhaps?
An ISP might use subdomains to isolate different _categories_ of
sources as denoted by the d= parameter. One such use might be for
sources where the 2822.From domains are _not_ validated.
Validated 2822.From domains could use:
dkim-signature: d=isp.com ...
From: some-validated at from-domain
The email-lists might could use:
From: some-non-validated at from-domain
> But there is a residual problem. Suppose jdoe at mipassoc.org is a
> subscriber to this list and someone spoofs a message from
> jdoe at mipassoc.org to the list. ietf-dkim at mipassoc.org accepts the
> message and sends it to isp.com, their Authorized Signing Domain,
> and it is signed and sent.
For the ISP to assure the 2822.From, would need to base their
signatures and identity assertions upon this account authentication.
The ISP should have an account specific for the mailing list. The
account should determine what domains are used to sign the message
and what assertions are applied. If the intent is have the base
ISP.com domain represent only validated 2822.From addresses, then a
different signing domain would be needed for use by mailing-lists.
In this case, perhaps all mailing-lists are signed with the
> Is the signature from jdoe (the author) or ietf-dkim (the mailing
Account authentication must make the determination. If the message is
being relayed without direct authentication, then perhaps a subdomain
for this use might be relay.isp.com.
> Without Authorized Signing Domains, you could tell by looking at
> the local-part of i=. But now you can't. I think this is an
> important distinction, even if it only applies in a subset of use
This is an important point and why the 2822.From policy may need to
make this 2822.From validity assertion explicit.
More information about the ietf-dkim