[ietf-dkim] #1398

Hallam-Baker, Phillip pbaker at verisign.com
Fri Mar 2 08:32:33 PST 2007 

That OK then, thanks, for clearing that up.

My view of DKIM policy is that there is policy information in both the policy record and the key records as folows:

 * A key record describes a POSSIBLE method of signature
 * A policy record describes what is NECESSARY

Since we only consult policy if the key record chacks are unsatisfactory the set of algorithm constraint etc descriptions in the key record needs to be self-sufficient.


> -----Original Message-----
> From: Michael Thomas [mailto:mike at mtcc.com] 
> Sent: Friday, March 02, 2007 10:37 AM
> To: Hallam-Baker, Phillip
> Cc: Frank Ellermann; ietf-dkim at mipassoc.org
> Subject: Re: [ietf-dkim] #1398
> 
> Hallam-Baker, Phillip wrote:
> > Are you proposing to put this list in the policy record or 
> the key record?
> >
> > I am prepared to think about whether it is necessary in the 
> key record or not. It does not in my view belong in the policy record.
> >   
> 
> It would need linked through the policy record to satisfy 
> Frank's issue, I think. Otherwise, if I got a message without 
> a signature for the Sender, say, I wouldn't know that that 
> was abnormal unless I did an SSP lookup. The selector 
> wouldn't work since you don't have a selector to look up.
> 
>        Mike
> > The way to express any policy more complex than 'I always 
> sign' is to put all the complexity into the key record and to 
> provide a means of specifying a restriction set on the key 
> records as in the proposed 1368 mechanism.
> >
> > Otherwise you would end up with complexity in both the key 
> record and the policy record. You have to have the 
> information in the key record as well because a key record is 
> implicitly a statement 'this is one way in which I might sign'. 
> >
> >   
> >> -----Original Message-----
> >> From: ietf-dkim-bounces at mipassoc.org 
> >> [mailto:ietf-dkim-bounces at mipassoc.org] On Behalf Of Michael Thomas
> >> Sent: Thursday, March 01, 2007 4:56 PM
> >> To: Frank Ellermann
> >> Cc: ietf-dkim at mipassoc.org
> >> Subject: Re: [ietf-dkim] #1398
> >>
> >> Frank Ellermann wrote:
> >>     
> >>>> nothing prevents you from doing an SSP lookup on any address or 
> >>>> domain that you desire, so at some level you are accommodated.
> >>>>     
> >>>>         
> >>> No, it's not obvious what it means if the 2822-From domain
> >>>       
> >> claims to
> >>     
> >>> sign all mails, and the Resent-From domain makes no statement.
> >>>   
> >>>       
> >> In my implementation I can (and do) sign for a configurable set of 
> >> addresses including From, Sender, Listid, etc. SSP has the 
> concept of 
> >> "I sign everything" which right now is implicitly the From address.
> >> What I'm wondering is whether we should make that binding more 
> >> explicit even if we ultimately only choose From, and make it an 
> >> extensible list sort of like:
> >>
> >> p=sign-complete:From;
> >>
> >> Perhaps now, perhaps in the future we could extent that to be 
> >> something like:
> >>
> >> p=sign-complete:From:Sender:Listid;
> >>
> >> Which I'm pretty sure addresses your issue directly.
> >>
> >>
> >>        Mike
> >> _______________________________________________
> >> NOTE WELL: This list operates according to 
> >> http://mipassoc.org/dkim/ietf-list-rules.html
> >>
> >>     
> 
>

More information about the ietf-dkim mailing list