[ietf-dkim] DKIM+ADSP = FAIL, and it's our fault

McDowell, Brett bmcdowell at paypal-inc.com
Wed Sep 15 08:30:29 PDT 2010 

On Sep 15, 2010, at 11:02 AM, Jeff Macdonald wrote:

> On Wed, Sep 15, 2010 at 10:43 AM, McDowell, Brett
> <bmcdowell at paypal-inc.com> wrote:
>> On Sep 15, 2010, at 12:11 AM, Murray S. Kucherawy wrote:
>> 
>>> Based on that (rather precise) description, aren't ADSP's requirements a proper subset of the DKIM requirements?  If so, I'm not sure I agree with "badly conflicting", but it does frame future discussion quite nicely.
>>> 
>>> For example, if DKIM enables the identification of mail streams, isn't the one ADSP covers just a specific instance of a mail stream?
>>> 
>> 
>> BTW, one thing I think we can agree on and find value from in these pre-deployment email discussions is terminology.  I ran into a problem at the last MAAWG during a panel discussion where my understanding of "3rd-party signature" is what someone else meant by "2nd-party signature".  What is the real definitions of "1st-party", "2nd-party" and "3rd-party" signatures in the context of DKIM and ADSP, i.e. in the context of i= and d= and from: values?
> 
> I believe only the ADSP documents talk about 3rd party, and it is
> defined as d= not From Domain.
> 
> These are 3rd party:
> 
> DKIM-Sig: ... d=dkim.bar.com
> From: foo at bar.com
> 
> DKIM-Sig: ... d=beer.com
> From: foo at bar.com
> 
> I believe Patrick defined 2nd party to be:
> DKIM-Sig: ... d=dkim.bar.com
> From: foo at bar.com
> 
> the maawg meeting was a first that I've heard that.
> 
> First party is of course:
> 
> DKIM-Sig: ... d=bar.com
> From: foo at bar.com
> 
> 
> BUT I really thinking making such distinctions is the wrong approach.
> It really doesn't matter what type of signature it is. I'd even
> advocate for a DKIM update that would cause all signatures to be 2nd
> or 3rd to enforce the point.
> 
That seems aligned with Steve's point about DKIM's value coming (only?) when the d= value is not the same as the domain-name in the from: field.  So according to you (and Steve?) the IETF should pass a normative requirement that all verified email be hired out to 3rd parties?!  That strikes me as very anti-Internet.

More information about the ietf-dkim mailing list