[ietf-dkim] Re: ISSUE: Better definition of "DKIM signing
complete" required
Stephen Farrell
stephen.farrell at cs.tcd.ie
Fri Nov 24 03:17:01 PST 2006
Frank Ellermann wrote:
> Stephen Farrell wrote:
>
> [proposed requirement]
>>> "The protocol MUST state what 'DKIM signing complete' precisely
>>> means wrt common practises like resending, news, and other uses
>>> of a 2822-From address".
>
>> Two questions:
>> Can you provide us with an example of the kind of statement
>> you'd envisage being made in an SSP protocol draft?
>
> "At the moment 'DKIM-signing-complete means that addresses of the
> given domain cannot be used in the From header field of Netnews
> articles. All newsgroups can be exported from news by news2mail
> gateways to mail. For moderated newsgroups articles can be
> forwarded almost as is by mail from the server where the article
> was submitted to the moderator, or forwarded by mail from one to
> another moderator in the case of cross-posts in multiple moderated
> newsgroups."
>
> Maybe too verbose. The complete list of issues with PRA, plus some
> additional issues for the 2822-From-centric POV of SSP, if it uses
> the latter (at the moment 6.3 says it does).
I don't think its too verbose, but I don't understand how it
answers the question I asked ;-)
You want to add a requirement "The protocol MUST...state..."
I wanted you to give me a strawman statement that would meet
that requirement (that you think is reasonable).
>
>> I don't understand why we, now, need to care about other uses of
>> the 2822-From address?
>
> Because the terminology is messy. The 2821-From is something like
> an envelope-sender, the 2822-From is something like an author, the
> news-From (T -6 days to first opportunity of approval) is a poster.
>
> As soon as I say 2822-Resent-From or Resent-Sender: me any decrees
> of the original author in an SSP about 2822-From are at best wishful
> thinking. In one of his anti-replay strategies Doug proposed to
> strip the signature at the MDA, and then the resender can't resend
> this signature even if she's willing to try this.
>
> All I know about MMS-to-mail gateways is that there's an RFC about
> it. Somebody knowing what it's about has to check if and what it
> means wrt 'DKIM-signing-complete'. Maybe nothing, then it's fine.
>
> Or maybe it means "'DKIM-signing-complete' domains cannot be used
> in MMS", and if that's the case then SSP has to say so explicitly.
>
> Is somebody here a 'lemonade' expert ? A 2822-From can be used in
> many applications, transformed into mail at some point. I have no
> clue where that might be a problem wrt a 'DKIM-signing-complete'
> SSP, the news2mail case is only the most obvious.
>
> Another obvious case which should be explicitly mentioned in the
> 'DKIM-signing-complete' explanation is SenderID spf2.0/pra: Even
> if we don't care about PRA, a PRA == 2822-From is a normal case.
>
> A domain claiming to be 'DKIM-signing-complete' has to be sure that
> there's some DKIM-signing agent on _all_ routes before one of their
> spf2.0/pra PASS or NEUTRAL IPs. Otherwise they screwed up, causing
> harm for mails "from" their domain.
I think that last is a fair point. But I'm still not convinced that
it's up to the DKIM WG (now) to figure out all details of all such
gatewaying cases, which is where we'd be heading if we start on that
road.
Stephen.
More information about the ietf-dkim
mailing list