[ietf-dkim] Consensus point on ADSP
fenton at cisco.com
Tue Mar 31 09:30:33 PDT 2009
Charles Lindsey wrote:
> On Tue, 31 Mar 2009 06:13:41 +0100, Jim Fenton <fenton at cisco.com> wrote:
>> The second two cases are not my example. Concern #2 in my message has
>> to do with messages where the signing address is a different address in
>> the same domain as the From address. The correct test case is:
>>> From someone at foo.example
>> Valid signature from ietf-examples at foo.example
>> Let's also use "all" instead of "discardable" as the test case because
>> it's the harder problem to solve. As you point out, the mailing list
>> should be acting on the Discardable practice rather than trying to send
>> the message to the list.
>> Let's say that ietf-examples at foo.example is a mailing list that re-signs
>> mail sent to the list (or it could be a forwarder or similar agent).
>> foo.example's mail server gets a message from an address in the same
>> domain, someone at foo.example, that has no Author Signature or has a
>> broken one. ...
> But how come it had no Author signature? Presumably because it arrived
> over some internal LAN, and internal mail is not signed (or all signing is
> done at the point where mail is finally dispatched to the Big Wide World
Perhaps that was the reason, but it could be a lot of things. The
notion of "internal" is becoming harder and harder to define.
>> ... In accordance with the domain's policy, it subjects the
>> message to additional scrutiny because of the "all" practices and lack
>> of an Author Signature. The message passes this test and is sent to the
>> mailing list manager.
> So the mailing list manager, or some agent just prior to it, has satisfied
> itself that it was a valid message from someone at foo.example (hence no
> reason not to send it out to the mailing list).
>> At this point, the mailing list manager would normally sign the
>> message. Let's examine this with the i= and d= choices:
>> Using i= as the basis for Author Signature, the list can sign the
>> message, and the eventual verifier/assessor that does an ADSP check will
>> see that it (still) lacks an Author Signature since
>> ietf-examples at foo.example does not match someone at foo.example.
> But we are agreed that (at least for now) we don't use i= as the basis for
> Author Signature. The mailing list expander may well add
> i=ietf-examples at foo.example, but that is just so humans (and maybe some
> super-smart Assessors) can observe what has been happening. But, for
> normal Assessors, that i= is just "opaque" stuff that it can ignore.
Go back and look at the message from the Chair that started this
thread. I had thought that we were debating the merits of the current
wording vs. an alternative that I offered that replaces the definition
of Author Signature and that means we're still discussing i= vs. d= as a
basis for Author Signature.
>> Using d= as the basis for Author Signature, if the list signs the
>> message, an eventual verifier/assessor will erroneously see that
>> signature as an Author Signature, and therefore might not give the
>> message the desired treatment. ...
> Why ever not? It is From: someone at foo.example. The agent that signed it
> has already satisfied itself that it is genuine ("additional scrutiny"
> maybe), and it is signed with d=foo.example. It looks like a Author
> Signature, it quacks like an Author Signature, therefore it IS an Author
> Signature. Subsequent Assessors should be perfectly happy to accept it
> (whether the ADSP for foo.example is "All", "Discardable", or anythng
> So where is your problem?
My problem is that the semantics of the signature that the mailing list
applies shouldn't depend on whether the original author happens to be in
the same domain as the list.
>> ... Another option would be for the mailing
>> list manager not to sign this message, which means it needs to do a
>> special case not to sign messages if they're from the same domain and
>> lack an Author Signature. This is certainly possible, but would be more
>> challenging if the MTA manages many domains. I also think it's the
>> wrong place to solve the problem.
> Why should that be? It is either signed by the mailing list manager, or it
> is signed by the outgoing gateway to the Big Wide World, or maybe both. So
> who cares? Either way, it is sufficiently well signed for it to be
> acceptable everywhere.
Perhaps. Or the eventual verifier/assessor may have different criteria
that it uses to evaluate messages from ADSP=all domains that don't have
valid author signatures.
More information about the ietf-dkim