[ietf-dkim] ADSP Informative Note on parent domain signing

Douglas Otis dotis at mail-abuse.org
Mon Apr 13 09:40:31 PDT 2009 

On Apr 13, 2009, at 6:04 AM, Jim Fenton wrote:

>> Consider a domain that uses sub-domains for their mailing-lists  
>> that are signed using Parent Domain Signing.  Even when a parent  
>> domain has ADSP assertions of either an "all" or "discardable",  
>> users can still participate in these mailing-lists using Parent  
>> Domain Signing and be compliant with ADSP.  Compliance can not be  
>> defined in terms of Parent Domain Signing, since the i= value can  
>> contain sub-domains.
>
> I don't understand what "users can participate in these mailing- 
> lists using Parent Domain Signing" means.  A signature applied by a  
> mailing list would be an Author Domain Signature, except in the  
> special case where the domain of the mailing list signature happens  
> to be the same as that of the author.  It's possible to avoid this  
> special case by having the mailing list domain be different from  
> that of any author, and one way to do that is to give the mailing  
> list(s) a separate subdomain.  But that doesn't have anything to do  
> with the caution about Parent Domain Signing.

A parent domain signature applied by the mailing-list might look as  
follows:

_adsp._domainkey.example.com TXT "dkim=discardable"

From: jon.doe at example.com
DKIM-Signature: i=list-subject at mail-list-ns.example.com;  
d=example.com; ...

When evaluating ADSP, this type of "Parent Domain Signature" is still  
compliant.  Users of "example.com" can participate in "list-subject at mail-list-ns.example.com 
" without special signatures being needed.

The domain might also use sub-domains as their means to tokenize on- 
behalf-of entities.

A parent domain signature applied for tokenized entities might look as  
follows:

From: jon.doe at example.com
DKIM-Signature: i=radius-value at radius-ns.example.com; d=example.com; ...

When evaluating ADSP, this type of "Parent Domain Signature" is also  
still compliant.  A caution must not refer to i= values or parent  
domain signing.  The caution should be limited to ensuring the signing  
domain and the email-address domain be the same.  "Parent Domain  
Signing" is ONLY about the i= value, where the i= value is ignored for  
ADSP compliance.

-Doug

More information about the ietf-dkim mailing list