ietf-dkim
[Top] [All Lists]

[ietf-dkim] draft-ietf-dkim-ssp, "Author Signatures" and "i=" tag

2008-12-17 07:22:59
(Continuing from my previous email):     

The terms "Valid Signature from an Author Domain" and "Author
Signature" are very easily confused. If I understood Doug's comments
right, he's essentially proposing making these two terms identical. 
That would certainly simplify things, but since the WG has decided 
otherwise, we need to make sure the distinction is understood
by the reader. 

Going over places that may need some clarification:

Section 1 should probably explicitly say that while RFC 4871 does not
require the value of the "i=" tag to match the identity in any message
header fields, this document can express a signing practice that
requires it to match as described in Section 2.7.  Using this signing
practice prevents the use of the "i=" tag for other purposes (such as
expressing what the signer actually authenticated) in the future.

Section 3.2:
  o If a message has a Valid Signature from an Author Domain, ADSP
    provides no benefit relative to that domain since the message is
    already known to be compliant with any possible ADSP for that
    domain.

"If a message has an Author Signature, ..."?

Section 3.2:
  o  If a message has a Valid Signature from a domain other than an
     Author Domain, the receiver can use both the Signature and the
     ADSP result in its evaluation of the message.

"If a message has a Valid Signature that from a domain other than an
Author Domain, or a Valid Signature from an Author Domain that does
not meet the requirements of Author Signature, .."?

Section 3.3:
  o  Messages from this domain might or might not have an author
     signature.  This is the default if the domain exists in the DNS
     but no ADSP record is found.

While technically this is true, "might or might not have an Author
Signature (and might or might not have other Valid Signatures that
are not Author Signatures)" would make the distinction clearer.

Section 3.3:
  o  All messages from this domain are signed.

"All messages from this domain are signed with Author Signatures"

Appendix B should briefly discuss cases where an organization signs
(takes responsibility using Valid Signatures) for all its outgoing
mail, but not always with Author Signatures (so it can't advertise
dkim=all/dkim=discardable policy).  At least the following
cases some to mind:

- "Sender": For example, if John's secretary Michael sends a message
(based on [RFC5322], Appendix A.1.1), and the "i=" tag identifies the
authenticated submitter of this message (Michael), the signature is
not an Author Signature:

   From: John Doe <jdoe(_at_)example(_dot_)com>
   Sender: Michael Jones <mjones(_at_)example(_dot_)com>
   DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=brisbane;
         q=dns/txt; i=mjones(_at_)example(_dot_)com; [...]

- Subdomains: The following signature is not an Author Signature,
because the domain taking responsibility for the email ("example.com")
is not equal to the Author Domain ("eng.example.com").

   From: John Doe <jdoe(_at_)eng(_dot_)example(_dot_)com>
   DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=brisbane;
         q=dns/txt; [...]

If an "i=" tag with value "@eng.example.com" is added, the signature
becomes an Author Signature:

   From: John Doe <jdoe(_at_)eng(_dot_)example(_dot_)com>
   DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=brisbane;
         q=dns/txt; i=(_at_)eng(_dot_)example(_dot_)com; [...]

- Mailing lists: A mailing list exploder that takes responsibility for
messages on the list does not usually add Author Signatures.  For
example, a mailing list exploder for a public mailing list
"foobar-list(_at_)example(_dot_)com" might add the following signature:

   From: joe(_at_)example(_dot_)com
   To: foobar-list(_at_)example(_dot_)com
   Sender: foobar-list-owner(_at_)example(_dot_)com
   DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=brisbane;
         q=dns/txt; i=foobar-list-owner(_at_)example(_dot_)com [...]

The message could, however, contain also an Author Signature, probably
added before the message reaches the mailing list exploder. If Author
Signatures are added by Boundary MTAs, this requires defining the
boundaries correctly.




Comments, thoughts?

Best regards,
Pasi

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>