On 8/2/06, william(at)elan.net <william(_at_)elan(_dot_)net> wrote:
On Wed, 2 Aug 2006, Damon wrote:
> It does not matter which server adds the tag, only which server is the
> sending MTA.
DKIM is protocol that does not have much to do with SMTP session.
As I said - to add this feature in you need to have DKIM signature
that will tell you which server added it (which is not that hard at
all and brings number of additional features).
Are you saying the the receiving MTA is not going to know what IP it
received the message from?
or are you saying that there may be multiple receiving MTA's that will each,
in-turn, check the signatures? Here I see it breaking. Could you include
this information in the DKIM header information then?
Mixing DKIM and SPF was where I expected to get flamed- In which case, it
is
> just as easy to set the CIDR's in the DKIM dns entry. While it is
SPF-like
> it doesn't mean this really good idea can't be reused.
CIDR does not make sense with DKIM. Listing of domains or servers does
make sense.
CIDR's would not require many more additional lookups.
Come on William.. how many good arguments do I need to convince you ;)
>
> Regards,
> Damon
>
>
> On 8/2/06, william(at)elan.net <william(_at_)elan(_dot_)net> wrote:
>>
>>
>> Some people unfortunetly never introduced tag (present for example in
IIM)
>> specifying which server actually adds DKIM signature. This makes it
>> impossible to extend in the way you proposed as receiver would not know
>> server/network responsible for adding particular signature when email
>> is actually being proposed. As far as what you proposed about SPF I
>> would advise against it due to different identities being involed at
>> DKIM and SPF and mixing it up is a security hole that may only become
>> apparent long time in the future.
>>
>> On Wed, 2 Aug 2006, Damon wrote:
>>
>> > I know that I am writing this a great risk of being flamed but the
more
>> I
>> > think about it the better it sounds to me.
>> > I believe that it will help with the "I sign some mail" and "I sign
no
>> mail"
>> > issues.
>> >
>> > What about using an additional tag to specify where I always sign
mail
>> from.
>> >
>> > Such as "I always sign mail from servers on my SPF record or CIDR(s)"
>> >
>> > _domainkey DNS TXT record adding the additional tag (w):
>> >
>> > example._domainkey.example.com. IN TXT "g=; w=spf or
>> (<cidr>[,<cidr>,...]);
>> > k=rsa; p=<key>"
>> >
>> >
>> > This way, domains can junk "I sign some mail" can specify that "I
always
>> > sign based on my (w) tag"
>> >
>> >
>> >
>> > Flame away!
>> >
>> > Regards,
>> > Damon Sauer
>>
>
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html