[ietf-dkim] Consensus point on ADSP

Jim Fenton fenton at cisco.com
Tue Mar 31 09:30:33 PDT 2009 

Charles Lindsey wrote:
> On Tue, 31 Mar 2009 06:13:41 +0100, Jim Fenton <fenton at cisco.com> wrote:
>
>   
>> The second two cases are not my example.  Concern #2 in my message has
>> to do with messages where the signing address is a different address in
>> the same domain as the From address.  The correct test case is:
>>
>>     
>>> From someone at foo.example
>>>       
>> Valid signature from ietf-examples at foo.example
>>
>> Let's also use "all" instead of "discardable" as the test case because
>> it's the harder problem to solve.  As you point out, the mailing list
>> should be acting on the Discardable practice rather than trying to send
>> the message to the list.
>>
>> Let's say that ietf-examples at foo.example is a mailing list that re-signs
>> mail sent to the list (or it could be a forwarder or similar agent).
>> foo.example's mail server gets a message from an address in the same
>> domain, someone at foo.example, that has no Author Signature or has a
>> broken one. ...
>>     
>
> But how come it had no Author signature? Presumably because it arrived  
> over some internal LAN, and internal mail is not signed (or all signing is  
> done at the point where mail is finally dispatched to the Big Wide World  
> outside).
>   

Perhaps that was the reason, but it could be a lot of things.  The
notion of "internal" is becoming harder and harder to define.

>   
>> ...  In accordance with the domain's policy, it subjects the
>> message to additional scrutiny because of the "all" practices and lack
>> of an Author Signature.  The message passes this test and is sent to the
>> mailing list manager.
>>     
>
> So the mailing list manager, or some agent just prior to it, has satisfied  
> itself that it was a valid message from someone at foo.example (hence no  
> reason not to send it out to the mailing list).
>   

Right.

>> At this point, the mailing list manager would normally sign the
>> message.  Let's examine this with the i= and d= choices:
>>
>> Using i= as the basis for Author Signature, the list can sign the
>> message, and the eventual verifier/assessor that does an ADSP check will
>> see that it (still) lacks an Author Signature since
>> ietf-examples at foo.example does not match someone at foo.example.
>>     
>
> But we are agreed that (at least for now) we don't use i= as the basis for  
> Author Signature. The mailing list expander may well add  
> i=ietf-examples at foo.example, but that is just so humans (and maybe some  
> super-smart Assessors) can observe what has been happening. But, for  
> normal Assessors, that i= is just "opaque" stuff that it can ignore.
>   

Go back and look at the message from the Chair that started this
thread.  I had thought that we were debating the merits of the current
wording vs. an alternative that I offered that replaces the definition
of Author Signature and that means we're still discussing i= vs. d= as a
basis for Author Signature.


>> Using d= as the basis for Author Signature, if the list signs the
>> message, an eventual verifier/assessor will erroneously see that
>> signature as an Author Signature, and therefore might not give the
>> message the desired treatment. ...
>>     
>
> Why ever not? It is From: someone at foo.example. The agent that signed it  
> has already satisfied itself that it is genuine ("additional scrutiny"  
> maybe), and it is signed with d=foo.example. It looks like a Author  
> Signature, it quacks like an Author Signature, therefore it IS an Author  
> Signature. Subsequent Assessors should be perfectly happy to accept it  
> (whether the ADSP for foo.example is "All", "Discardable", or anythng  
> else).
>
> So where is your problem?
>   

My problem is that the semantics of the signature that the mailing list
applies shouldn't depend on whether the original author happens to be in
the same domain as the list.

>   
>> ...  Another option would be for the mailing
>> list manager not to sign this message, which means it needs to do a
>> special case not to sign messages if they're from the same domain and
>> lack an Author Signature.  This is certainly possible, but would be more
>> challenging if the MTA manages many domains.  I also think it's the
>> wrong place to solve the problem.
>>     
>
> Why should that be? It is either signed by the mailing list manager, or it  
> is signed by the outgoing gateway to the Big Wide World, or maybe both. So  
> who cares? Either way, it is sufficiently well signed for it to be  
> acceptable everywhere.
>   

Perhaps.  Or the eventual verifier/assessor may have different criteria
that it uses to evaluate messages from ADSP=all domains that don't have
valid author signatures.

-Jim

More information about the ietf-dkim mailing list