[ietf-dkim] Issue 1519: SSP-01 Unnecessary constraint on i= when asserting "strict"

Stephen Farrell stephen.farrell at cs.tcd.ie
Fri Jul 4 05:45:39 PDT 2008 

Issue description: https://rt.psg.com/Ticket/Display.html?id=1519

Various threads.

The clearest message in that thread I can find is this:

Jim Fenton wrote:
 > To briefly summarize, I understand Doug's issue to be the question
 > of whether the local-part of an Author Address should be matched
 > against the i= value, if a local-part is present in i=.
 >
 > SSP matches the local part if present
 > draft-levine-asp-00 matches only the domain part
 > Doug is suggesting a third alternative:  to match the Author Address
 > against the g= field in the key record used to verify the signature.
 >
 > Doug, please verify that I understand the issue correctly before I
 > invest a lot of keystrokes in responding.

ssp-04 does include the local part if present, so the draft-levine
variant is off the table. I've not found a clear description of how
to use g= in the thread (that I could follow).

I suggest we close 1519 and (if necessary) Doug can send around
a new proposal specifying his g= based alternative to the paragraphs
of ssp-04 copied below.

If there's no further discussion of this, I'll ask Eliot to
close it on July 11.

S.

The text about i= in ssp-04 is:

    An "Author Signature" is any Valid Signature where the identity of
    the user or agent on behalf of which the message is signed (listed in
    the "i=" tag or its default value from the "d=" tag) matches an
    Author Address in the message.  When the identity of the user or
    agent includes a Local-part, the identities match if the Local-parts
    are the same string, and the domains are the same string.  Otherwise,
    the identities match if the domains are the same string.  Following
    [RFC2821], Local-part comparisons are case sensitive, domain
    comparisons are case insensitive.

    For example, if a message has a Valid Signature, with the DKIM-
    Signature field containing "i=a at domain.example", then domain.example
    is asserting that it takes responsibility for the message.  If the
    message's From: field contains the address "b at domain.example" and an
    ADSP query produces a "dkim=all" or "dkim=discardable" result, that
    would mean that the message does not have a valid Author Signature.
    Even though the message is signed by the same domain, it fails to
    satisfy ADSP.

More information about the ietf-dkim mailing list