On Mar 31, 2009, at 9:30 AM, Jim Fenton wrote:
Why ever not? It is From: someone(_at_)foo(_dot_)example(_dot_) The agent
that
signed it has already satisfied itself that it is genuine
("additional scrutiny" maybe), and it is signed with d=foo.example.
It looks like a Author Signature, it quacks like an Author
Signature, therefore it IS an Author Signature. Subsequent
Assessors should be perfectly happy to accept it (whether the ADSP
for foo.example is "All", "Discardable", or anythng
else).
So where is your problem?
My problem is that the semantics of the signature that the mailing
list applies shouldn't depend on whether the original author happens
to be in the same domain as the list.
It does not. It would only require assertion of i= values.
... Another option would be for the mailing list manager not to
sign this message, which means it needs to do a special case not
to sign messages if they're from the same domain and lack an
Author Signature. This is certainly possible, but would be more
challenging if the MTA manages many domains. I also think it's
the wrong place to solve the problem.
Why should that be? It is either signed by the mailing list
manager, or it is signed by the outgoing gateway to the Big Wide
World, or maybe both. So who cares? Either way, it is sufficiently
well signed for it to be acceptable everywhere.
Perhaps. Or the eventual verifier/assessor may have different
criteria that it uses to evaluate messages from ADSP=all domains
that don't have valid author signatures.
When the definition of valid Author Signature only considers whether
the signature is by the correct domain, then these signature would be
compliant with ADSP. By asserting the i= values, when MUAs or
assessors attempt to annotate sources, it could annotate
"Sender:ietf-examples(_at_)foo(_dot_)example(_dot_)com
" rather than "From:someone(_at_)foo(_dot_)example(_dot_)com". The change in
Author-
Signature definition will not obscure where the message originated as
long as the signer asserts i= values. Such assertions are controlled
by the signing domain.
The change requires the receiver (assessor or MUA) to depend upon
current DKIM i= value semantics for annotations, while also
eliminating double signing to be ADSP compliant where one signature is
on-behalf-of the "ieft-examples(_at_)foo(_dot_)example(_dot_)com" and the other
leaves
the i= value at its default.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html