[ietf-dkim] Re: ISSUE: Better definition of "DKIM signing complete"
nobody at xyzzy.claranet.de
Fri Nov 24 02:56:36 PST 2006
Stephen Farrell wrote:
>> "The protocol MUST state what 'DKIM signing complete' precisely
>> means wrt common practises like resending, news, and other uses
>> of a 2822-From address".
> Two questions:
> Can you provide us with an example of the kind of statement
> you'd envisage being made in an SSP protocol draft?
"At the moment 'DKIM-signing-complete means that addresses of the
given domain cannot be used in the From header field of Netnews
articles. All newsgroups can be exported from news by news2mail
gateways to mail. For moderated newsgroups articles can be
forwarded almost as is by mail from the server where the article
was submitted to the moderator, or forwarded by mail from one to
another moderator in the case of cross-posts in multiple moderated
Maybe too verbose. The complete list of issues with PRA, plus some
additional issues for the 2822-From-centric POV of SSP, if it uses
the latter (at the moment 6.3 says it does).
> I don't understand why we, now, need to care about other uses of
> the 2822-From address?
Because the terminology is messy. The 2821-From is something like
an envelope-sender, the 2822-From is something like an author, the
news-From (T -6 days to first opportunity of approval) is a poster.
As soon as I say 2822-Resent-From or Resent-Sender: me any decrees
of the original author in an SSP about 2822-From are at best wishful
thinking. In one of his anti-replay strategies Doug proposed to
strip the signature at the MDA, and then the resender can't resend
this signature even if she's willing to try this.
All I know about MMS-to-mail gateways is that there's an RFC about
it. Somebody knowing what it's about has to check if and what it
means wrt 'DKIM-signing-complete'. Maybe nothing, then it's fine.
Or maybe it means "'DKIM-signing-complete' domains cannot be used
in MMS", and if that's the case then SSP has to say so explicitly.
Is somebody here a 'lemonade' expert ? A 2822-From can be used in
many applications, transformed into mail at some point. I have no
clue where that might be a problem wrt a 'DKIM-signing-complete'
SSP, the news2mail case is only the most obvious.
Another obvious case which should be explicitly mentioned in the
'DKIM-signing-complete' explanation is SenderID spf2.0/pra: Even
if we don't care about PRA, a PRA == 2822-From is a normal case.
A domain claiming to be 'DKIM-signing-complete' has to be sure that
there's some DKIM-signing agent on _all_ routes before one of their
spf2.0/pra PASS or NEUTRAL IPs. Otherwise they screwed up, causing
harm for mails "from" their domain.
More information about the ietf-dkim