[ietf-dkim] Consensus point on ADSP
dotis at mail-abuse.org
Tue Mar 31 11:17:03 PDT 2009
On Mar 31, 2009, at 9:30 AM, Jim Fenton wrote:
>> Why ever not? It is From: someone at foo.example. The agent that
>> signed it has already satisfied itself that it is genuine
>> ("additional scrutiny" maybe), and it is signed with d=foo.example.
>> It looks like a Author Signature, it quacks like an Author
>> Signature, therefore it IS an Author Signature. Subsequent
>> Assessors should be perfectly happy to accept it (whether the ADSP
>> for foo.example is "All", "Discardable", or anythng
>> So where is your problem?
> My problem is that the semantics of the signature that the mailing
> list applies shouldn't depend on whether the original author happens
> to be in the same domain as the list.
It does not. It would only require assertion of i= values.
>>> ... Another option would be for the mailing list manager not to
>>> sign this message, which means it needs to do a special case not
>>> to sign messages if they're from the same domain and lack an
>>> Author Signature. This is certainly possible, but would be more
>>> challenging if the MTA manages many domains. I also think it's
>>> the wrong place to solve the problem.
>> Why should that be? It is either signed by the mailing list
>> manager, or it is signed by the outgoing gateway to the Big Wide
>> World, or maybe both. So who cares? Either way, it is sufficiently
>> well signed for it to be acceptable everywhere.
> Perhaps. Or the eventual verifier/assessor may have different
> criteria that it uses to evaluate messages from ADSP=all domains
> that don't have valid author signatures.
When the definition of valid Author Signature only considers whether
the signature is by the correct domain, then these signature would be
compliant with ADSP. By asserting the i= values, when MUAs or
assessors attempt to annotate sources, it could annotate "Sender:ietf-examples at foo.example.com
" rather than "From:someone at foo.example.com". The change in Author-
Signature definition will not obscure where the message originated as
long as the signer asserts i= values. Such assertions are controlled
by the signing domain.
The change requires the receiver (assessor or MUA) to depend upon
current DKIM i= value semantics for annotations, while also
eliminating double signing to be ADSP compliant where one signature is
on-behalf-of the "ieft-examples at foo.example.com" and the other leaves
the i= value at its default.
More information about the ietf-dkim