ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Next steps for draft-ietf-dkim-ssp

2009-01-06 20:36:51
from [MH Michael Hammer (5304)] [Permanent Link] 



-----Original Message-----
From: Jim Fenton [mailto:fenton(_at_)cisco(_dot_)com]
Sent: Tuesday, January 06, 2009 6:10 PM
To: MH Michael Hammer (5304)
Cc: John L; ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] Next steps for draft-ietf-dkim-ssp

It really applies to the implementation of the checker, and not to the
publication of ADSP records.

At the risk of repeating myself, here's an example of when it's
important.  Suppose the ietf.org mailing list manager signs its mail
using i=ietf(_at_)ietf(_dot_)org(_dot_)  The IETF Chair sends a message to 
the list,
using From: <chair(_at_)ietf(_dot_)org>.  I contend it would be bad for the

mailing

list manager signature to be confused with an author signature.



But in terms of the receiving domain checking, why would they make a
distinction from an ADSP perspective? The question at hand is whether
all email from a particular (sub) domain is signed. If a domain is
making this type of assertion, then it is looking at ietf.org and
shouldn't really care whether the user is chair@ or ietf(_at_)(_dot_) If you are
asserting that one might be signed and the other not then I think there
is an issue. If you assert that both are signed but the signatures might
be different (within the same domain but with different selectors for
example then I'm going to say fine because if ietf.org asserts it signs
all mail then it still works. It is the domain that is important, not
the user part for the all assertion. 


This example involves the use of local-parts, but one could also come

up

with (somewhat more contrived) examples where the mailing list manager
is at lists.example.com and some users are at users.example.com.  If

the

keys are published in the example.com domain (d=example.com) and i=
isn't being used, it isn't possible to distinguish author signatures

and

list signatures.



Distinguish to what purpose Jim? 

Either they are signed or they aren't signed from an ADSP perspective.
If distinguishing at this granularity is important then publish ADSP for
lists.example.com/DKIM sign for that domain (d=) and publish ADSP for
users.example.com/DKIM sign for that domain (d=). The author signatures
are clearly distinguished from the list signatures. 

Mike

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Next steps for draft-ietf-dkim-ssp, Jim Fenton
Next by Date:  Re: [ietf-dkim] Next steps for draft-ietf-dkim-ssp, Jim Fenton
Previous by Thread:  Re: [ietf-dkim] Next steps for draft-ietf-dkim-ssp, Jim Fenton
Next by Thread:  Re: [ietf-dkim] Next steps for draft-ietf-dkim-ssp, Jim Fenton
Indexes:  [Date] [Thread] [Top] [All Lists]