ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [ietf-dkim] #1398

2007-03-02 09:34:28
from [Hallam-Baker, Phillip] [Permanent Link] 
That OK then, thanks, for clearing that up.

My view of DKIM policy is that there is policy information in both the policy 
record and the key records as folows:

 * A key record describes a POSSIBLE method of signature
 * A policy record describes what is NECESSARY

Since we only consult policy if the key record chacks are unsatisfactory the 
set of algorithm constraint etc descriptions in the key record needs to be 
self-sufficient.



-----Original Message-----
From: Michael Thomas [mailto:mike(_at_)mtcc(_dot_)com] 
Sent: Friday, March 02, 2007 10:37 AM
To: Hallam-Baker, Phillip
Cc: Frank Ellermann; ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] #1398

Hallam-Baker, Phillip wrote:

Are you proposing to put this list in the policy record or 

the key record?


I am prepared to think about whether it is necessary in the 

key record or not. It does not in my view belong in the policy record.

  


It would need linked through the policy record to satisfy 
Frank's issue, I think. Otherwise, if I got a message without 
a signature for the Sender, say, I wouldn't know that that 
was abnormal unless I did an SSP lookup. The selector 
wouldn't work since you don't have a selector to look up.

       Mike

The way to express any policy more complex than 'I always 

sign' is to put all the complexity into the key record and to 
provide a means of specifying a restriction set on the key 
records as in the proposed 1368 mechanism.


Otherwise you would end up with complexity in both the key 

record and the policy record. You have to have the 
information in the key record as well because a key record is 
implicitly a statement 'this is one way in which I might sign'. 


  

-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org 
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Michael 
Thomas
Sent: Thursday, March 01, 2007 4:56 PM
To: Frank Ellermann
Cc: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] #1398

Frank Ellermann wrote:
    

nothing prevents you from doing an SSP lookup on any address or 
domain that you desire, so at some level you are accommodated.
    
        

No, it's not obvious what it means if the 2822-From domain
      

claims to
    

sign all mails, and the Resent-From domain makes no statement.
  
      

In my implementation I can (and do) sign for a configurable set of 
addresses including From, Sender, Listid, etc. SSP has the 

concept of 

"I sign everything" which right now is implicitly the From address.
What I'm wondering is whether we should make that binding more 
explicit even if we ultimately only choose From, and make it an 
extensible list sort of like:

p=sign-complete:From;

Perhaps now, perhaps in the future we could extent that to be 
something like:

p=sign-complete:From:Sender:Listid;

Which I'm pretty sure addresses your issue directly.


       Mike
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

    





_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Additional lookups (was Re: [ietf-dkim] Re: 1368 straw-poll), Wietse Venema
Next by Date:  RE: [ietf-dkim] Proposed 1368 wording draft 1, Hallam-Baker, Phillip
Previous by Thread:  Re: [ietf-dkim] #1398, Michael Thomas
Next by Thread:  RE: [ietf-dkim] Re: Additional lookups, Hallam-Baker, Phillip
Indexes:  [Date] [Thread] [Top] [All Lists]