[ietf-dkim] draft-ietf-dkim-ssp, "Author Signatures" and "i=" tag

Pasi.Eronen at nokia.com Pasi.Eronen at nokia.com
Wed Dec 17 04:20:18 PST 2008 

(Continuing from my previous email):	 

The terms "Valid Signature from an Author Domain" and "Author
Signature" are very easily confused. If I understood Doug's comments
right, he's essentially proposing making these two terms identical. 
That would certainly simplify things, but since the WG has decided 
otherwise, we need to make sure the distinction is understood
by the reader. 

Going over places that may need some clarification:

Section 1 should probably explicitly say that while RFC 4871 does not
require the value of the "i=" tag to match the identity in any message
header fields, this document can express a signing practice that
requires it to match as described in Section 2.7.  Using this signing
practice prevents the use of the "i=" tag for other purposes (such as
expressing what the signer actually authenticated) in the future.

Section 3.2:
>   o If a message has a Valid Signature from an Author Domain, ADSP
>     provides no benefit relative to that domain since the message is
>     already known to be compliant with any possible ADSP for that
>     domain.

"If a message has an Author Signature, ..."?

Section 3.2:
>   o  If a message has a Valid Signature from a domain other than an
>      Author Domain, the receiver can use both the Signature and the
>      ADSP result in its evaluation of the message.

"If a message has a Valid Signature that from a domain other than an
Author Domain, or a Valid Signature from an Author Domain that does
not meet the requirements of Author Signature, .."?

Section 3.3:
>   o  Messages from this domain might or might not have an author
>      signature.  This is the default if the domain exists in the DNS
>      but no ADSP record is found.

While technically this is true, "might or might not have an Author
Signature (and might or might not have other Valid Signatures that
are not Author Signatures)" would make the distinction clearer.

Section 3.3:
>   o  All messages from this domain are signed.

"All messages from this domain are signed with Author Signatures"

Appendix B should briefly discuss cases where an organization signs
(takes responsibility using Valid Signatures) for all its outgoing
mail, but not always with Author Signatures (so it can't advertise
dkim=all/dkim=discardable policy).  At least the following
cases some to mind:

- "Sender": For example, if John's secretary Michael sends a message
(based on [RFC5322], Appendix A.1.1), and the "i=" tag identifies the
authenticated submitter of this message (Michael), the signature is
not an Author Signature:

   From: John Doe <jdoe at example.com>
   Sender: Michael Jones <mjones at example.com>
   DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=brisbane;
         q=dns/txt; i=mjones at example.com; [...]

- Subdomains: The following signature is not an Author Signature,
because the domain taking responsibility for the email ("example.com")
is not equal to the Author Domain ("eng.example.com").

   From: John Doe <jdoe at eng.example.com>
   DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=brisbane;
         q=dns/txt; [...]

If an "i=" tag with value "@eng.example.com" is added, the signature
becomes an Author Signature:

   From: John Doe <jdoe at eng.example.com>
   DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=brisbane;
         q=dns/txt; i=@eng.example.com; [...]

- Mailing lists: A mailing list exploder that takes responsibility for
messages on the list does not usually add Author Signatures.  For
example, a mailing list exploder for a public mailing list
"foobar-list at example.com" might add the following signature:

   From: joe at example.com
   To: foobar-list at example.com
   Sender: foobar-list-owner at example.com
   DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=brisbane;
         q=dns/txt; i=foobar-list-owner at example.com [...]

The message could, however, contain also an Author Signature, probably
added before the message reaches the mailing list exploder. If Author
Signatures are added by Boundary MTAs, this requires defining the
boundaries correctly.




Comments, thoughts?

Best regards,
Pasi

More information about the ietf-dkim mailing list