[ietf-dkim] Author Signature vs. Author Domain Signature / Internal vs External threats
dotis at mail-abuse.org
Thu Apr 2 10:19:12 PDT 2009
On Apr 2, 2009, at 8:15 AM, Dave CROCKER wrote:
> I think there are two sources of confusion for this round of ADSP
> The first is that the term "Author Signature" encourages one to
> think that DKIM is used to sign with the full author email address,
> rather than with the /domain/ of the author's address. We fixed
> that error in the name of the document, but forgot to carry it
> through to the details of the spec.
> DKIM is about domains, not email addresses. And that's all ADSP
> should be. Using i= encourages this cofusion. Using "Author
> Signature" rather than "Author Domain Signature" also encourages it.
This inquiry is called an Author Signing Practices check.
This inquiry is called an Author Domain Signing Practices check.
Section 2.7 Author Signature.
Section 2.7 Author Domain Signature.
An "author signature"
An "Author Domain Signature"
s/author signature/Author Domain Signature/
> The specification and semantics of ADSP get simpler, cleaner and
> properly scoped, when d= is used. Using i= really does invite a
> complex of issues that should be outside the scope of DKIM and ADSP.
Within the Security Consideration section, mention use of the i= could
be required to differentiate intra-domain sources that might otherwise
confuse From header fields as the message source, such as a mailing-
list sharing the same domain.
Append to the initial paragraph within the Security Considerations
Use of the i= value (AUID) may be necessary to disambiguate message
sources, such as those messages handled by a mailing list sharing the
> Use d=.
To determine ADSP compliance. Agreed.
> ps. That includes dropping the "ADSP is incompatible" note.
Strike the following in Section 2.7:
If the DKIM signing identity has a Local-part, it is be identical to
the Local-part in the Author Address. Following [RFC5321], Local-part
comparisons are case sensitive, but domain comparisons are case
For example, if a message has a Valid Signature, with the DKIM-
Signature field containing "i=a at domain.example", then domain.example
is asserting that it takes responsibility for the message. If the
message's From: field contains the address "b at domain.example", that
would mean that the message does not have a valid Author Signature.
Even though the message is signed by the same domain, it will not
satisfy ADSP that specifies "dkim=all" or "dkim=discardable".
Note: ADSP is incompatible with valid DKIM usage in which a signer
uses "i=" with values that are not the same as addresses in mail
headers. In that case, a possible workaround could be to add a
second DKIM signature a "d=" value that matches the Author Address,
but no "i=".
More information about the ietf-dkim