[ietf-dkim] Next steps for draft-ietf-dkim-ssp
MH Michael Hammer (5304)
MHammer at ag.com
Tue Jan 6 17:01:36 PST 2009
> -----Original Message-----
> From: Jim Fenton [mailto:fenton at cisco.com]
> Sent: Tuesday, January 06, 2009 6:10 PM
> To: MH Michael Hammer (5304)
> Cc: John L; ietf-dkim at mipassoc.org
> Subject: Re: [ietf-dkim] Next steps for draft-ietf-dkim-ssp
> It really applies to the implementation of the checker, and not to the
> publication of ADSP records.
> At the risk of repeating myself, here's an example of when it's
> important. Suppose the ietf.org mailing list manager signs its mail
> using i=ietf at ietf.org. The IETF Chair sends a message to the list,
> using From: <chair at ietf.org>. I contend it would be bad for the
> list manager signature to be confused with an author signature.
But in terms of the receiving domain checking, why would they make a
distinction from an ADSP perspective? The question at hand is whether
all email from a particular (sub) domain is signed. If a domain is
making this type of assertion, then it is looking at ietf.org and
shouldn't really care whether the user is chair@ or ietf at . If you are
asserting that one might be signed and the other not then I think there
is an issue. If you assert that both are signed but the signatures might
be different (within the same domain but with different selectors for
example then I'm going to say fine because if ietf.org asserts it signs
all mail then it still works. It is the domain that is important, not
the user part for the all assertion.
> This example involves the use of local-parts, but one could also come
> with (somewhat more contrived) examples where the mailing list manager
> is at lists.example.com and some users are at users.example.com. If
> keys are published in the example.com domain (d=example.com) and i=
> isn't being used, it isn't possible to distinguish author signatures
> list signatures.
Distinguish to what purpose Jim?
Either they are signed or they aren't signed from an ADSP perspective.
If distinguishing at this granularity is important then publish ADSP for
lists.example.com/DKIM sign for that domain (d=) and publish ADSP for
users.example.com/DKIM sign for that domain (d=). The author signatures
are clearly distinguished from the list signatures.
More information about the ietf-dkim