From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org [mailto:ietf-dkim-
bounces(_at_)mipassoc(_dot_)org] On Behalf Of Hector Santos
Sent: Monday, August 16, 2010 1:36 PM
Subject: [ietf-dkim] Issue 4871bis - DKIM Definition Separation of
In the current bif draft, it has:
DomainKeys Identified Mail (DKIM) permits a person, role, or
organization that owns the signing domain to claim some
responsibility for a message by associating the domain with the
message. This can be an author's organization, an operational relay
or one of their agents. DKIM separates the question of the identity
of the signer of the message from the purported author of the
message. Assertion of responsibility is validated through a
cryptographic signature and querying the signer's domain directly to
retrieve the appropriate public key. Message transit from author to
recipient is through relays that typically make no substantive change
to the message content and thus preserve the DKIM signature.
I have trouble with the 3rd separation sentence and the potential
ignorance it presents by breaking the original responsible party.
What is the actual question does it separate?
An association between the purported author and the signer?
Is an authorization question?
Does it absolve the responsibility of the original domain signer?
The sentence is meant to make explicit the fact that the author of a message
and the signer of a message are not necessarily the same thing. So I guess
then the first of your three examples is the right one.
I don't think the raw DKIM-base document should be making any
conclusion about that it intends to separate or absolve by moving the
responsibility to that of the signer.
But the signer (d=) is the only provable entity on a signed message. This was
what was said in the update draft as well (RFC5671).
By having it, it implies that those using the DKIM-BASE implementation
can effectively 100% ignore the original responsible domain own
signature without technical and even possibly legal repercussions.
I think the problem is that terms like "original responsible domain" are
undefined given that there are no assurances of the validity of any other part
of the message. If you mean the From: field domain, that domain may or may not
match "d=" even if there's a plurality of signatures.
I don't think a reference to POLICY needs to be made, but only focus
on the idea that the LAST SIGNER is the responsible party.
I don't think that's necessarily a correct assertion. If a message has four
valid signatures on it, then four parties have accepted some responsibility for
the message. The From: domain doesn't need to match the "d=" on any of them.
NOTE WELL: This list operates according to