ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] ADSP Informative Note on parent domain signing

2009-04-07 20:24:22

On Apr 7, 2009, at 3:32 PM, Jim Fenton wrote:

John Levine wrote:
But what section 2.7 talks about has to do with the use of the i=  
value.


Huh?  In our current draft, there's no mention of i= other than  
your proposed warning.


Sorry; typo (shifted left on the keyboard).  I meant to say section  
3.8
(of RFC 4871).

Jim,

You are right.  The term "Signing Identity" in ADSP Section 2.7 was  
seen as representing the SDID.


The ADSP Author Domain Signature definition in Section 2.7 need to  
change to the following:

A valid first party signature "Author Domain Signature" is a Valid  
Signature where the domain name in the DKIM signing domain (SDID) is  
the same domain name in the Author
Address .


Strike the following in Section 2.7:
,---
If the DKIM signing identity has a Local-part, it is be identical to
the Local-part in the Author Address.  Following [RFC5321], Local-part
comparisons are case sensitive, but domain comparisons are case
insensitive.

For example, if a message has a Valid Signature, with the DKIM-
Signature field containing "i=a(_at_)domain(_dot_)example", then domain.example
is asserting that it takes responsibility for the message.  If the
message's From: field contains the address "b(_at_)domain(_dot_)example", that
would mean that the message does not have a valid Author Signature.
Even though the message is signed by the same domain, it will not
satisfy ADSP that specifies "dkim=all" or "dkim=discardable".

Note:   ADSP is incompatible with valid DKIM usage in which a signer
uses "i=" with values that are not the same as addresses in mail
headers.  In that case, a possible workaround could be to add a second
DKIM signature a "d=" value that matches the Author  Address, but no
"i=".
'---

The following note could be added:

Informative Note:  Signing by parent domains as described in section  
3.8 of [RFC4871] where a parent domain signs for a sub-domain within  
the From email-address does not represent a valid first party  
signature or "Author Domain Signature".  A valid first party signature  
requires the From email-address domain (Author Domain) and the signing  
domain (SDID) to be the same. 
  
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html