Jim Fenton wrote:
John R. Levine wrote:
I sign all my mail, but there's no way I can say that with ADSP. In its
current form, ADSP is broken and useless.
I thought that's what "dkim=all" says:
all All mail from the domain is signed with an Author
Signature.
Do you not sign them with Author Signatures?
Take a look. I sign them all, but I don't use ADSP's version of i=
You keep telling us to do this, but the list manager strips off your
signature. But I think we all know that you're able to do this.
I think that is John's point, an issue we always battled with but
never wanted to fully address - the issue regarding 3rd party signings
or down link signings.
His exclusive signing was lost when it made the transition to the mail
integrity breaking mailing list server (MLS). So you end up with:
DKIM-Signature: d=mipassoc.org ....
Authentication-Results: sbh17.songbird.com;
dkim=pass (1024-bit key)
header(_dot_)i=johnl(_at_)user(_dot_)iecc(_dot_)com
From: "John R. Levine" <johnl(_at_)iecc(_dot_)com>
a 3rd party-like signature situation.
In SSP and in DSAP, we wanted to allow domains to define if a 3rd
party was allowed to sign. In fact, in DSAP
http://tools.ietf.org/html/draft-santos-dkim-dsap-00
in regards to MLS (Mailing List Server) considerations:
3.3. Mailing List Servers
Mailing List Servers (MLS) applications who are compliant with DKIM
and DSAP operations, SHOULD adhere to the following guidelines:
Subscription Controls
MLS subscription processes should perform a DSAP check to
determine if a subscribing email domain DSAP policy is restrictive
in regards to mail integrity changes or 3rd party signatures. The
MLS SHOULD only allow original domain policies who allow 3rd party
signatures.
Message Content Integrity Change
List Servers which will alter the message content SHOULD only do
so for original domains with optional DKIM signing practices and
it should remove the original signature if present. If the List
Server is not going to alter the message, it SHOULD NOT remove the
signature, if present.
In john's case, he doesn't have a ADSP record, I don't think. So its
open season on his domain. Success, Failure, No Signatures, it
watered down.
But if John has a ADSP policy ALL or DISCARDABLE, the smarter DKIM
integrated MLS should not break the integrity of the message and not
sign on behalf of john.
This was the complexity that we didn't want to deal with. But it all
goes back to a policy description what a domains allow in regard to
its author domain.
In this case:
Should the AR (Authentication-Result) be use to determine what the
original domain expected? But even here, the identity is different,
user.iecc.com.
If we are going to allow this where there is no policy for the domain,
then maybe the MLS "MUST" include bind the new signature with the AR
header.
DKIM-Signature: d=mipassoc.org
h=....;Authentication-Results:
Authentication-Results: sbh17.songbird.com;
dkim=pass (1024-bit key)
header(_dot_)i=johnl(_at_)user(_dot_)iecc(_dot_)com
From: "John R. Levine" <johnl(_at_)iecc(_dot_)com>
But we should not allow this to be overall the justification why ADSP
does not work.
There will be domains that do not want their domains to be somehow
replayed as a 3rd party signed mailing list distribution.
If a domain has a ALL or DISCARDABLE policy, a receiver should reject
this type of emails. If the domain expects to use his domain in an
open manner like this, then it should not be using any policy or one
that says it is neutral (a waste).
--
Sincerely
Hector Santos
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html