ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Consensus point on ADSP

2009-03-31 13:52:04
Charles Lindsey wrote:
On Tue, 31 Mar 2009 06:13:41 +0100, Jim Fenton <fenton(_at_)cisco(_dot_)com> 
wrote:

  
The second two cases are not my example.  Concern #2 in my message has
to do with messages where the signing address is a different address in
the same domain as the From address.  The correct test case is:

    
From someone(_at_)foo(_dot_)example
      
Valid signature from ietf-examples(_at_)foo(_dot_)example

Let's also use "all" instead of "discardable" as the test case because
it's the harder problem to solve.  As you point out, the mailing list
should be acting on the Discardable practice rather than trying to send
the message to the list.

Let's say that ietf-examples(_at_)foo(_dot_)example is a mailing list that 
re-signs
mail sent to the list (or it could be a forwarder or similar agent).
foo.example's mail server gets a message from an address in the same
domain, someone(_at_)foo(_dot_)example, that has no Author Signature or has a
broken one. ...
    

But how come it had no Author signature? Presumably because it arrived  
over some internal LAN, and internal mail is not signed (or all signing is  
done at the point where mail is finally dispatched to the Big Wide World  
outside).
  

Perhaps that was the reason, but it could be a lot of things.  The
notion of "internal" is becoming harder and harder to define.

  
...  In accordance with the domain's policy, it subjects the
message to additional scrutiny because of the "all" practices and lack
of an Author Signature.  The message passes this test and is sent to the
mailing list manager.
    

So the mailing list manager, or some agent just prior to it, has satisfied  
itself that it was a valid message from someone(_at_)foo(_dot_)example (hence 
no  
reason not to send it out to the mailing list).
  

Right.

At this point, the mailing list manager would normally sign the
message.  Let's examine this with the i= and d= choices:

Using i= as the basis for Author Signature, the list can sign the
message, and the eventual verifier/assessor that does an ADSP check will
see that it (still) lacks an Author Signature since
ietf-examples(_at_)foo(_dot_)example does not match 
someone(_at_)foo(_dot_)example(_dot_)
    

But we are agreed that (at least for now) we don't use i= as the basis for  
Author Signature. The mailing list expander may well add  
i=ietf-examples(_at_)foo(_dot_)example, but that is just so humans (and maybe 
some  
super-smart Assessors) can observe what has been happening. But, for  
normal Assessors, that i= is just "opaque" stuff that it can ignore.
  

Go back and look at the message from the Chair that started this
thread.  I had thought that we were debating the merits of the current
wording vs. an alternative that I offered that replaces the definition
of Author Signature and that means we're still discussing i= vs. d= as a
basis for Author Signature.


Using d= as the basis for Author Signature, if the list signs the
message, an eventual verifier/assessor will erroneously see that
signature as an Author Signature, and therefore might not give the
message the desired treatment. ...
    

Why ever not? It is From: someone(_at_)foo(_dot_)example(_dot_) The agent 
that signed it  
has already satisfied itself that it is genuine ("additional scrutiny"  
maybe), and it is signed with d=foo.example. It looks like a Author  
Signature, it quacks like an Author Signature, therefore it IS an Author  
Signature. Subsequent Assessors should be perfectly happy to accept it  
(whether the ADSP for foo.example is "All", "Discardable", or anythng  
else).

So where is your problem?
  

My problem is that the semantics of the signature that the mailing list
applies shouldn't depend on whether the original author happens to be in
the same domain as the list.

  
...  Another option would be for the mailing
list manager not to sign this message, which means it needs to do a
special case not to sign messages if they're from the same domain and
lack an Author Signature.  This is certainly possible, but would be more
challenging if the MTA manages many domains.  I also think it's the
wrong place to solve the problem.
    

Why should that be? It is either signed by the mailing list manager, or it  
is signed by the outgoing gateway to the Big Wide World, or maybe both. So  
who cares? Either way, it is sufficiently well signed for it to be  
acceptable everywhere.
  

Perhaps.  Or the eventual verifier/assessor may have different criteria
that it uses to evaluate messages from ADSP=all domains that don't have
valid author signatures.

-Jim


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>