[ietf-dkim] Author Signature vs. Author Domain Signature / Internal vs External threats
Douglas Otis
dotis at mail-abuse.org
Thu Apr 2 10:19:12 PDT 2009
On Apr 2, 2009, at 8:15 AM, Dave CROCKER wrote:
>
> I think there are two sources of confusion for this round of ADSP
> discussion.
>
> The first is that the term "Author Signature" encourages one to
> think that DKIM is used to sign with the full author email address,
> rather than with the /domain/ of the author's address. We fixed
> that error in the name of the document, but forgot to carry it
> through to the details of the spec.
Agreed. :^)
> DKIM is about domains, not email addresses. And that's all ADSP
> should be. Using i= encourages this cofusion. Using "Author
> Signature" rather than "Author Domain Signature" also encourages it.
Agreed.
----
Change:
1. Introduction:
This inquiry is called an Author Signing Practices check.
To:
This inquiry is called an Author Domain Signing Practices check.
----
Change:
Section 2.7 Author Signature.
To:
Section 2.7 Author Domain Signature.
----
Change:
An "author signature"
To:
An "Author Domain Signature"
Then:
s/author signature/Author Domain Signature/
> The specification and semantics of ADSP get simpler, cleaner and
> properly scoped, when d= is used. Using i= really does invite a
> complex of issues that should be outside the scope of DKIM and ADSP.
Within the Security Consideration section, mention use of the i= could
be required to differentiate intra-domain sources that might otherwise
confuse From header fields as the message source, such as a mailing-
list sharing the same domain.
Append to the initial paragraph within the Security Considerations
section:
Use of the i= value (AUID) may be necessary to disambiguate message
sources, such as those messages handled by a mailing list sharing the
same domain.
> Use d=.
To determine ADSP compliance. Agreed.
> d/
>
> ps. That includes dropping the "ADSP is incompatible" note.
----
Strike the following in Section 2.7:
If the DKIM signing identity has a Local-part, it is be identical to
the Local-part in the Author Address. Following [RFC5321], Local-part
comparisons are case sensitive, but domain comparisons are case
insensitive.
For example, if a message has a Valid Signature, with the DKIM-
Signature field containing "i=a at domain.example", then domain.example
is asserting that it takes responsibility for the message. If the
message's From: field contains the address "b at domain.example", that
would mean that the message does not have a valid Author Signature.
Even though the message is signed by the same domain, it will not
satisfy ADSP that specifies "dkim=all" or "dkim=discardable".
Note: ADSP is incompatible with valid DKIM usage in which a signer
uses "i=" with values that are not the same as addresses in mail
headers. In that case, a possible workaround could be to add a
second DKIM signature a "d=" value that matches the Author Address,
but no "i=".
----
-Doug
More information about the ietf-dkim
mailing list