[ietf-dkim] ISSUE: Better definition of "DKIM signing complete" required

Hector Santos hsantos at santronics.com
Thu Nov 23 16:07:06 PST 2006 

Charles Lindsey wrote:
> On Thu, 23 Nov 2006 14:05:36 -0000, Stephen Farrell 
> <stephen.farrell at cs.tcd.ie> wrote:
> 
>> I don't understand why we, now, need to care about other
>> uses of the 2822-From address? (And if we did, then why news and
>> not, say kerberos, where the same string may occur.)
> 
> Because news and email regularly get gatewayed into each other.

But this suggest that you have a DKIM-NNTP based protocol as well as a 
DKIM-EMAIL protocol which is what the DKIM system only currently supports.

I think we are asking for why too much trying to get DKIM to work in a 
NEWS/EMAIL gateway environment, especially when there is no standard for 
such processing and transformation.  And even then, it shouldn't be a 
big issue as long as the "twain shall never meet."  NEWS is NEWS, EMAIL 
is EMAIL.  Transformation concepts would have be done in such a way that 
they appear to be independent of each other.

You need to address the base system first which is 1 to 1 EMAIL concept 
before we even have a chance to make it work in a 1 to MANY or MANY to 
MANY environment.

> Suppose foo.example announces that it "signs everything" (presumably we 
> intend that to mean all emails). So if joe at foo.example sends an unsigned 
> email, it is sure to be treated with "suspicion".
> 
> But what if joe at foo.example posts an article to some newsgroup? DKIM in 
> Usenet might be found to be a good idea someday, but it is not likely to 
> be in our drafts and is not in our charter. 

Right, so why are fussing around with this can of worms?  If the user 
with an exclusive domain is going outside a domain policy to post mail 
in a newsgroup, then isn't this exactly what we might want to protect 
against?  The domain has gone to the trouble to protect itself with DKIM 
because it may not want such activity with its domain property.  Why 
should we go against those wishes?   If the domain doesn't want this, 
then it shouldn't use DKIM/SSP.

In my view, implementing DKIM for NNTP would have be a GROUP concept 
which is what NNTP is designed be a - a GROUP conferencing system.  This 
is much different then a DKIM 1 to 1 concept.

Granted, many systems have successfully "merged" the two - such as our 
own  Wildcat! SMTP and NNTP Server framework with its NEWS/EMAIL 
interface system.  Sysops can expose news conferences and the outbound 
mail goes as email and vice-versa.  But the transformation is still done 
on the idea that they are independent of each other.

> And maybe (USEFOR hat on here) gateways from news to email ought 
 > to be adding suitable Resent-* headers.

IMV, we should stop trying to mix EMAIL vs NEWS - two different things.

It is already a major consideration just adding DKIM into our email 
framework.  It would almost impossible to begin even thinking about 
throwing in DKIM our NNTP framework.

We are going way overboard with this DKIM consideration.

Anyway, thats my opinion on this.

Thanks for listening.

---
HLS

More information about the ietf-dkim mailing list