On August 23, 2005 at 13:53, Jim Fenton wrote:
This goes to what we have been very generically calling first-party and
third-party signatures. The original submission of a message would
normally result in a first-party signature from the supposed author's
domain. A mailing list would apply a third-party signature, which can
be distinguished by the fact that i= does not match the originator's
I think this is a weak inference.
I'm not sure it is safe to infer that a "first-party" signature can
be adequately represented by the i= matching the OA. First, i= does
not have to be complete mailbox specification, so all you have to go
by is the domain portion.
Then, what about service relationships where the author/sending
party is of one domain, but submit all mail through another domain
(due to a service agreement between the two parties)?
In order to satisfy the first-party aspects of the signature,
the mail service domain would have to make sure that the i= and d=
match the OA's domain, and that the OA domain defines the correct
DNS records (which the mail service domain may not have the ability
to do directly) to support signature validation. This makes key
management a problem since the mail domain will own the private key,
but not have the direct ability to publish the public key.
Wrt key management, if the OA domain has the ability specify who is
allowed to perform "first-party" signatures (like through the SSP
record), the mail service domain can handle all the key management
issues without having to coordinate with the OA domain. This can be
a problem if keys are rotated on a frequent basis. SSP records will
be more stable, so OA coordination is not as involved.
BTW, a good reason for the local-part on i= is that it if the original
purported author and the mailing list are in the same domain, it's still
possible for the list to apply a signature and not have it look like a
Are you saying for a signature to be "first-party" the i= must
of a complete mailbox address value?
ietf-dkim mailing list