ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Next steps for draft-ietf-dkim-ssp

2009-01-06 18:25:53
from [Jim Fenton] [Permanent Link]
(catching up after the Holiday break)

John L wrote: 
(The main implication being that just signing all your outgoing email
may not allow you to advertise "dkim=all", if you e.g. use the "i="
tag to identify a mailing list manager -- the only example of its use
given in RFC 4871.)
    

Ah, good point.  That's straightforward to fix.

I'm not sure I understand the concern -- why would a mailing list manager signature be considered an author signature, or conversely why would a domain apply a mailing list manager signature when it intends to apply an author signature?

The ability to apply a mailing list manager signature, and not have it confused with an author signature when the (alleged) author and the mailing list manager happen to be in the same domain, is one of the strengths of using i=, including the local-part, in comparisons with the From address.

For example, suppose the ietf.org mailing list manager signs its mail using i=ietf(_at_)ietf(_dot_)org.  The IETF Chair sends a message to the list, using From: <chair(_at_)ietf(_dot_)org>.  I contend it would be bad for the mailing list manager signature to be confused with an author signature.
I suppose the alternative, now that we have some experience with i= in 
real life, is to adjust the language in ADSP to match the experience. 
Dunno how the other authors feel about that.

I'd like to understand what you have in mind.
  
2) Protecting subdomains
        
Something like this, perhaps? (added after 2nd para in Section 3.1)

  Note: If an organization wants to publish Author Domain Signing
  Practices for all its subdomains, too, it needs to create ADSP
  records for every _adsp._domainkey_.<subdomain>.domain.example.
  Note that wildcards cannot be used (see Section 6.3); however,
  creating the ADSP records could be automated with suitable DNS
  management tools.
    

OK.

It should also be pointed out that, in this context, hostnames also need to have ADSP records published for them too, since they're considered to be subdomains in the context of email addresses.
  
4) Minor clarifications/nits
        
I think clearly explaining when an organization that signs all
its outgoing email can actually publish a "dkim=all" policy is pretty
important --  although ADSP doesn't (and shouldn't) do everything,
we need to be clear about what it does.
    

It's when the signature matches the From: address.  Shouldn't be too hard 
to say it again.

Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
"More Wiener schnitzel, please", said Tom, revealingly.
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

  
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Next steps for draft-ietf-dkim-ssp, Douglas Otis
Next by Date:  Re: [ietf-dkim] Next steps for draft-ietf-dkim-ssp, Jim Fenton
Previous by Thread:  Re: [ietf-dkim] Next steps for draft-ietf-dkim-ssp, Douglas Otis
Next by Thread:  Re: [ietf-dkim] Next steps for draft-ietf-dkim-ssp, Jim Fenton
Indexes:  [Date] [Thread] [Top] [All Lists]