ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] ADSP Informative Note on parent domain signing

2009-04-07 17:40:57
from [Doug Otis] [Permanent Link] 

On Apr 7, 2009, at 1:58 PM, Siegel, Ellen wrote:


Maybe something more like the following?

"ADSP should not be used for domains that use "i=" values to enable  
a parent domain to sign for a subdomain (as described in section 3.8  
of [RFC4871]) unless an additional signature where the "d=" domain  
matches the "i=" domain is added."


Disagree.  The proposed change in the ADSP Author Domain Signature  
definition is to allow the i= value to represent any sub-domain and/or  
any local-part within the domain.  Unless further revised, the Author  
Signature definition still requires a valid DKIM signature applied by  
the Author Domain.  In other words, the From email-address domain  
(Author Domain) and the SDID must be the the same.

The current ADSP Author Signature definition in Section 2.7 states the  
following:
,---
An "author signature" is a Valid Signature that has the _same_ domain  
name in the DKIM signing identity as the domain name in the Author  
Address.
'---
Dropping the i= value as a constraining issue was the goal.  This can  
be done by striking the following in
Section 2.7:
,---
If the DKIM signing identity has a Local-part, it is be identical to  
the Local-part in the Author Address.  Following [RFC5321], Local-part  
comparisons are case sensitive, but domain comparisons are case  
insensitive.

For example, if a message has a Valid Signature, with the DKIM- 
Signature field containing "i=a(_at_)domain(_dot_)example", then domain.example 
 
is asserting that it takes responsibility for the message.  If the  
message's From: field contains the address "b(_at_)domain(_dot_)example", that  
would mean that the message does not have a valid Author Signature.  
Even though the message is signed by the same domain, it will not  
satisfy ADSP that specifies "dkim=all" or "dkim=discardable".

Note:   ADSP is incompatible with valid DKIM usage in which a signer  
uses "i=" with values that are not the same as addresses in mail  
headers.  In that case, a possible workaround could be to add a second  
DKIM signature a "d=" value that matches the Author  Address, but no  
"i=".
'---

The following could be an appropriate note:

Informative Note:  A DKIM signing by parent domains as described in  
section 3.8 of [RFC4871] where a parent domain signs for a sub-domain  
within the From email-address will not represent an Author Domain  
Signature.  ADSP requires the From email-address domain (Author  
Domain) and the signing domain (SDID) to be the same.

-Doug


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Update of RFC4871 Appendix D. MUA Considerations (resent), Barry Leiba
Next by Date:  Re: [ietf-dkim] ADSP Informative Note on parent domain signing, Siegel, Ellen
Previous by Thread:  Re: [ietf-dkim] ADSP Informative Note on parent domain signing, Siegel, Ellen
Next by Thread:  Re: [ietf-dkim] ADSP Informative Note on parent domain signing, Jim Fenton
Indexes:  [Date] [Thread] [Top] [All Lists]