ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Re: ISSUE: Better definition of "DKIM signing complete" required

2006-11-24 06:17:23
Stephen Farrell wrote:

I think that last is a fair point. But I'm still not convinced that
it's up to the DKIM WG (now) to figure out all details of all such
gatewaying cases, which is where we'd be heading if we start on that
road.


+1.

We haven't completely nail down the integrity alteration or 3rd party issues in the pure email spectrum, including list servers, adding news/email/other gateways would be a night mare. I speak from direct experience as a author of multi-network gateway systems including a News/Email Gateway. DKIM considerations here would be horrendous, and it would require considerations for the NNTP protocol as well.

Thats not to say it can't be done - but it should be based on the BASE DKIM system.

For example, in our news/email system, we can expose mail conferences as Local Newsgroups that an RFC news reader can handle. We have one conference called "Support" where incoming EMAIL is gated into.

Well,

Direction #1 - incoming EMAIL

If the original EMAIL is DKIM signed, then our SMTP processor will validate it. Once validated, our gate will move it into the "support" conference/newsgroup.

When our support staff reads the newsgroup article, our NNTP Server will make sure the EMAIL is transformed to a proper NNTP article to be downloaded.

When our support staff reads the SUPPORT con fence via the web site, it looks like a pure EMAIL to them.

In any reading device case, DKIM is already satisfied by the SMTP processor.

Direction #2 - outgoing, replies to support questions

If posting via the RFC NEWSREADER, the NNTP Server will transform the NNTP article to EMAIL.

If posting via the Web site, then its a straight forward email.

In either case, the SMTP outgoing process will now DKIM sign the message.

The point here is that the two never mixed up. DKIM is done on the email side. Not the news side.

Now this is where it really gets hairy.

What if we want the NNTP processor to DKIM sign the message?

It could be done and I see less of an issue if the mail remains as News.

But once you begin to gate, now what? Do we strip? Do we add more signatures?

Again, all possible, but we are really but now we will need minimum requirements possibly like signing the Path:, Newsgroup: headers, etc and then possibly carrying them over in the gate. Some mail readers can't handle a Newsgroup header coming in as an EMAIL.

It will get really messy here IMV.

---
HLS


_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>