Re: [ietf-dkim] Next steps for draft-ietf-dkim-ssp
2009-01-06 18:25:53
(catching up after the Holiday break)
John L wrote:
(The main implication being that just signing all your outgoing email
may not allow you to advertise "dkim=all", if you e.g. use the "i="
tag to identify a mailing list manager -- the only example of its use
given in RFC 4871.)
Ah, good point. That's straightforward to fix.
I'm not sure I understand the concern -- why would a mailing list
manager signature be considered an author signature, or conversely why
would a domain apply a mailing list manager signature when it intends
to apply an author signature?
The ability to apply a mailing list manager signature, and not have it
confused with an author signature when the (alleged) author and the
mailing list manager happen to be in the same domain, is one of the
strengths of using i=, including the local-part, in comparisons with
the From address.
For example, suppose the ietf.org mailing list manager signs its mail
using i=ietf(_at_)ietf(_dot_)org. The IETF Chair sends a message to the list,
using From: <chair(_at_)ietf(_dot_)org>. I contend it would be bad for the
mailing list manager signature to be confused with an author signature.
I suppose the alternative, now that we have some experience with i= in
real life, is to adjust the language in ADSP to match the experience.
Dunno how the other authors feel about that.
I'd like to understand what you have in mind.
2) Protecting subdomains
Something like this, perhaps? (added after 2nd para in Section 3.1)
Note: If an organization wants to publish Author Domain Signing
Practices for all its subdomains, too, it needs to create ADSP
records for every _adsp._domainkey_.<subdomain>.domain.example.
Note that wildcards cannot be used (see Section 6.3); however,
creating the ADSP records could be automated with suitable DNS
management tools.
OK.
It should also be pointed out that, in this context, hostnames also
need to have ADSP records published for them too, since they're
considered to be subdomains in the context of email addresses.
4) Minor clarifications/nits
I think clearly explaining when an organization that signs all
its outgoing email can actually publish a "dkim=all" policy is pretty
important -- although ADSP doesn't (and shouldn't) do everything,
we need to be clear about what it does.
It's when the signature matches the From: address. Shouldn't be too hard
to say it again.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
"More Wiener schnitzel, please", said Tom, revealingly.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
|
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
|
|