[ietf-dkim] Re: ISSUE 1525 -- Restriction to posting by first Author breaks email semantics

Douglas Otis dotis at mail-abuse.org
Wed Jan 23 12:26:11 PST 2008 

On Jan 22, 2008, at 10:42 PM, Jim Fenton wrote:

> The question of what qualifies as an Author Signature is a different  
> issue and we need to use the same definition in the multiple From  
> address case as in the single From address case.  That is issue  
> #1519, and let's discuss it in the context of that issue.

Jim,

You are missing the point.  The requirements created by the Author  
Signature definition is breaking email semantics.  This problem exists  
whether the SSP process depends upon policy being obtained from the  
first or all email-address domains within the From header.  The  
suggested solution was to have signatures with a domain at or above  
the domain of the From address in question to provide "all" or  
"strict" compliance.  (An exception would need to be made only for g=  
restricted keys.)  By depending upon just the _domain_, a signature  
could be on-behalf-of the Sender header, or any other header for that  
matter, and provide SSP compliance.  Basing compliance upon just the  
domain avoids semantic problems created when a Sender entity  
introduces the message, rather than the From entity.

> I don't think that the specification should specify a limit on the  
> number of From address domains that should be checked, because RFC  
> 2822 doesn't specify a limit.  As a practical matter, some verifiers  
> may decide to impose their own limits, and I don't think that  
> introduces a problem with "interchange".  SSP is really about giving  
> additional information to the verifier, and if they decide not to  
> avail themselves of all of the information available, that's up to  
> them (as is the decision whether they want to use SSP information at  
> all).


Whenever a verifier decides there are too many From domains to bother  
discovering all the SSP records, it MUST treat this message as having  
failed SSP compliance.  Otherwise, additional From email-addresses  
would be a means to bypass SSP policies.  This also means you are  
suggesting there be some undefined limit that might then cause email  
to be rejected.  Valid mail rejected as a result of an undefined limit  
must be described as an interchange problem.

If the WG has the brass to say all From email-addresses should have  
their SSP records discovered, the WG should also define a minimum  
number of email-addresses where interchange is assure.  EAI has  
defined the use of two From addresses to permit alternative formats.   
With the introduction of non-ASCII TLDs, these alternative formats  
might become required, as ACE labels may not be displayed.

Set the From email-address minimum maximum at 2, 4, or 6.  SSP policy  
established by just the first domain without imposing a limit on the  
number of From email-addresses would also be acceptable.  Recipients  
must understand what element of the message is being protected.  This  
protection is easier to explain as being for just the "first" email- 
address domain.  Saying the first two would make a signature  
indication less informative.

-Doug

More information about the ietf-dkim mailing list