Hi, Mike...comments inline:
MH Michael Hammer (5304) wrote:
-----Original Message-----
From: Jim Fenton [mailto:fenton(_at_)cisco(_dot_)com]
Sent: Tuesday, January 06, 2009 6:10 PM
To: MH Michael Hammer (5304)
Cc: John L; ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] Next steps for draft-ietf-dkim-ssp
It really applies to the implementation of the checker, and not to the
publication of ADSP records.
At the risk of repeating myself, here's an example of when it's
important. Suppose the ietf.org mailing list manager signs its mail
using i=ietf(_at_)ietf(_dot_)org(_dot_) The IETF Chair sends a message to
the list,
using From: <chair(_at_)ietf(_dot_)org>. I contend it would be bad for the
mailing
list manager signature to be confused with an author signature.
But in terms of the receiving domain checking, why would they make a
distinction from an ADSP perspective? The question at hand is whether
all email from a particular (sub) domain is signed. If a domain is
making this type of assertion, then it is looking at ietf.org and
shouldn't really care whether the user is chair@ or ietf(_at_)(_dot_) If you
are
asserting that one might be signed and the other not then I think there
is an issue. If you assert that both are signed but the signatures might
be different (within the same domain but with different selectors for
example then I'm going to say fine because if ietf.org asserts it signs
all mail then it still works. It is the domain that is important, not
the user part for the all assertion.
Suppose that ietf.org asserts an ADSP record but doesn't require
signatures on incoming messages, even from its own domain (there's no
requirement that they do). Someone spoofs a message from
chair(_at_)ietf(_dot_)org, which is of course unsigned. The message coming out
of
the list looks like it has an author signature. I have a problem with that.
In this situation, we could require that the mailing list manager not
apply a signature if it might be confused with an author signature, but
then there's no way for it to apply a signature representing the list.
This example involves the use of local-parts, but one could also come
up
with (somewhat more contrived) examples where the mailing list manager
is at lists.example.com and some users are at users.example.com. If
the
keys are published in the example.com domain (d=example.com) and i=
isn't being used, it isn't possible to distinguish author signatures
and
list signatures.
Distinguish to what purpose Jim?
Either they are signed or they aren't signed from an ADSP perspective.
If distinguishing at this granularity is important then publish ADSP for
lists.example.com/DKIM sign for that domain (d=) and publish ADSP for
users.example.com/DKIM sign for that domain (d=). The author signatures
are clearly distinguished from the list signatures.
The d=/i= distinction was originally created to simplify key management
by domains having many subdomains, in that they could publish the keys
in a parent domain (d=) while signing for a subdomain (i=). You're
basically suggesting that we abandon that optimization so that we can
use the d= domain rather than the i= domain for ADSP.
Remember that the lookup address for ADSP is always the domain of the
From address (users.example.com) and not the d=domain. In this
situation ADSP records for lists.example.com and for example.com would
never be referenced.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html