Frank Ellermann wrote:
Stephen Farrell wrote:
[proposed requirement]
"The protocol MUST state what 'DKIM signing complete' precisely
means wrt common practises like resending, news, and other uses
of a 2822-From address".
Two questions:
Can you provide us with an example of the kind of statement
you'd envisage being made in an SSP protocol draft?
"At the moment 'DKIM-signing-complete means that addresses of the
given domain cannot be used in the From header field of Netnews
articles. All newsgroups can be exported from news by news2mail
gateways to mail. For moderated newsgroups articles can be
forwarded almost as is by mail from the server where the article
was submitted to the moderator, or forwarded by mail from one to
another moderator in the case of cross-posts in multiple moderated
newsgroups."
Maybe too verbose. The complete list of issues with PRA, plus some
additional issues for the 2822-From-centric POV of SSP, if it uses
the latter (at the moment 6.3 says it does).
I don't think its too verbose, but I don't understand how it
answers the question I asked ;-)
You want to add a requirement "The protocol MUST...state..."
I wanted you to give me a strawman statement that would meet
that requirement (that you think is reasonable).
I don't understand why we, now, need to care about other uses of
the 2822-From address?
Because the terminology is messy. The 2821-From is something like
an envelope-sender, the 2822-From is something like an author, the
news-From (T -6 days to first opportunity of approval) is a poster.
As soon as I say 2822-Resent-From or Resent-Sender: me any decrees
of the original author in an SSP about 2822-From are at best wishful
thinking. In one of his anti-replay strategies Doug proposed to
strip the signature at the MDA, and then the resender can't resend
this signature even if she's willing to try this.
All I know about MMS-to-mail gateways is that there's an RFC about
it. Somebody knowing what it's about has to check if and what it
means wrt 'DKIM-signing-complete'. Maybe nothing, then it's fine.
Or maybe it means "'DKIM-signing-complete' domains cannot be used
in MMS", and if that's the case then SSP has to say so explicitly.
Is somebody here a 'lemonade' expert ? A 2822-From can be used in
many applications, transformed into mail at some point. I have no
clue where that might be a problem wrt a 'DKIM-signing-complete'
SSP, the news2mail case is only the most obvious.
Another obvious case which should be explicitly mentioned in the
'DKIM-signing-complete' explanation is SenderID spf2.0/pra: Even
if we don't care about PRA, a PRA == 2822-From is a normal case.
A domain claiming to be 'DKIM-signing-complete' has to be sure that
there's some DKIM-signing agent on _all_ routes before one of their
spf2.0/pra PASS or NEUTRAL IPs. Otherwise they screwed up, causing
harm for mails "from" their domain.
I think that last is a fair point. But I'm still not convinced that
it's up to the DKIM WG (now) to figure out all details of all such
gatewaying cases, which is where we'd be heading if we start on that
road.
Stephen.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html