[ietf-dkim] ISSUE: Better definition of "DKIM signingcomplete"required

[Hector Santos]

----- Original Message ----- 
From: "Charles Lindsey" <chl at clerew.man.ac.uk>



>>> Unfortunately, the world is already way beyond 1 to 1 EMAIL.
>
>> You're kidding?  Private mail is obsolete?

> No. But a lot of Email is NOT private (this List for a start).

Ok, so GROUP and/or GROUP-like mail systems existed for a long time.  That 
doesn't suggest that private communicatons is passe nor is group ware 
systems replacing it.

>> But Charles,  NEWS/EMAIL gateways goes both ways.  Your design would 
>> have to work in both directions.

> No it wouldn't. There are Email2News Gateways, and there are News2Email 
> gateways, and there are some which try to do both (and doing bidirectional 
> gatewaying 100% safely is an unsolved - and probably unsoluble - problem).

Thats my point.  It is a doable concept but when you begin to intoduce DKIM 
into it,  it opens up a whole new set of Campbell Worm Soup :-)

Its like List Servers (LS).  I think everyone agrees LS works fine and has 
been for a long time.   But now we introduce DKIM and now we are dealing 
with design concepts which may requires LS design alterations and people are 
resistant to this.  We are trying to make DKIM work with LS systems and its 
nearly impossible (DKIM isn't going to be very effective in LS in its 
current state).

>>  ...     If you post via NEWS you are
>> talking about GATING to a EMAIL system.  What are the rules here?  Do 
>> you hash the NNTP required headers?   Do you strip them?    And vice a 
>> versa?   Same issues.

> That is exactly the question this thread is attempting to address. There 
> is no question, at the moment, of requiring hashing of anything sent by 
> NNTP. The best suggestion so far is that the News2Mail gateway should 
> treat it as a resend and add the proper Resent-* headers. And if someone 
> can convince me that would solve the problem, then I can try and get that 
> written into the upcoming News protocol standard.

I think it is a separate consideration that needs to fit on top of DKIM. 
There might have to be updates to the specs to might include NNTP 
considerations for NNTP required headers, for example, newsgroups:, path:.

IMV, for a pure NNTP environment, the DKIM implementation is clearer.  It is 
the gating part of it is where it gets really murky because now we are 
dealing with transformation issues.   And even if we limit this to one 
direction,  we must make sure that "other direction" doesn't become a 
loophole threat.

>> I am not sure I follow but this is exactly one of the protections I 
>> ant  - I don't want someone using my domain in such areas

> And how, precisely, do you propose to prevent it?

With SSP! <g>

>> IMV, we should stop trying to mix EMAIL vs NEWS - two different things.

> Sorry, that horse bolted through the open stable door 15 years ago.

(for longer than that)

> You  just admitted that your own company writes software to do such 
> gatewaying.

Right. And one would naturally think I would be among the first to support 
this if its was that easy to do. But I can immediately see the major issues 
across the board from point to point.  This thread hasn't even touch base 
with 1% of all the issues that needs to be considered to implement DKIM in a 
news/email system environment.   For a pure NNTP newsgroup system?  Sure, 
very doable. But Gating?    That will be very complex.  Not saying it can't 
be done.  But I believe it would be a whole different of rules that are 
beyond the current DKIM/SSP specification.  It would be a new RFC that is 
based on the DKIM/SSP RFCs.

Given the current specs, can you itemize what are the issue "transformation" 
issues in order to maintain mail integrity and SSP security?  IMV, it has to 
be both ways. Not just one way.

----
HLS