One more try to clarify things, then I'll stop trying.
Charles Lindsey wrote:
On Tue, 31 Mar 2009 17:30:33 +0100, Jim Fenton <fenton(_at_)cisco(_dot_)com>
wrote:
So where is your problem?
My problem is that the semantics of the signature that the mailing list
applies shouldn't depend on whether the original author happens to be in
the same domain as the list.
BUT IT DOESN'T!
I am perpetually amazed that people on this list still seem to have no
idea of how ADSP is supposed to work. They seem to think that the ADSP
record is somehow related to the domain in the d= of the signature. IT
ISN'T!
If "people on this list" is referring to me, please say so. I do not
think as you assert that ADSP is keyed to the d= of the signature. That
wouldn't make sense, because ADSP has to function in the absence of any
[valid] DKIM signature.
It is primarily related to the domain in the From: header.
If "primarily related to" means "you use the domain in the From: header
and look up the ADSP for that domain", yes.
The existence of an ADSP record states that "If you see this domain in the
From: header of any email, you should expect to see also a valid signature
with this same domain in its d= (and maybe we also invite you to discard
it if such a signature is absent)".
Go look at draft-ietf-dkim-ssp-09. It doesn't say anything about using
d= in this way; it requires a valid Author Signature. See section 2.7
for the definition of Author Signature, which involves comparing the
From address and the i= address.
So if a particular mail happens to have foo.example in its From: header,
and has also been forwarded to a list by that same domain, then WHO CARES
whether the signature was put there by the mailing list expander, or by
the normal signing machine for that domain (maybe it had even acquired two
signatures, one from each and both using the same key)? IT DOESN'T MATTER,
since it is amply proved to be a genuine message vouched for by that
domain.
Whether smart Assessors or smart humans choose to look at any i= that may
be present and may indicate whether the actual signature was put there by
the mail-list machinery or not is a minor secondary issue. Again, WHO
REALLY CARES?
So I still don't see that you have raised an actual problem.
So you're voting for the alternative that I posted the other day that
does the comparison with d= instead of i=. Please correct me if I have
this wrong.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html