ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] ADSP Informative Note on parent domain signing

2009-04-09 19:48:11

On Apr 9, 2009, at 10:11 AM, J.D. Falk wrote:

Siegel, Ellen wrote:

Informative Note:  DKIM signatures by parent domains as described  
in section 3.8 of [RFC4871] (in which a signer uses "i=" to assert  
that it is signing for a subdomain) do not satisfy the  
requirements for an Author Domain Signature as defined above.
 [ . . . ]
Works for me.

+1

(I'd use commas instead of parentheses, but that's minor.)

IMHO, this is still wrong.  The i= value should be _ignored_ when  
determining ADSP compliance.  I'll try some examples.

,----
DKIM-Signature: ... d=foo.example.com;
From: jon(_dot_)doe(_at_)foo(_dot_)example(_dot_)com
'----
#### This would be a first-party or Author Domain Signature.  Note the  
lack of the i= value.

,----
DKIM-Signature: ... d=example.com;
From: jon(_dot_)doe(_at_)foo(_dot_)example(_dot_)com
'----
#### This would not be a first-part or Author Domain Signature.  Again  
note the lack of an i= value.

,----
DKIM-Signature: ... d=example.com; i=(_at_)foo(_dot_)example(_dot_)com
From: jon(_dot_)doe(_at_)example(_dot_)com
'----
#### This would be a first-part or Author Domain Signature.  Although  
in conflict with the prior definition, use of a sub-domain in the i=  
value helps ensure against accidental collisions with a real email- 
addresses, when the i= value represents a token for the on-behalf-of  
identity.


There is no reason for ADSP to facilitate parent domain signing.    
Parent domain ADSP assertions are impossible after all.

Since each ADSP assertion MUST be made at the "_adsp._domainkey.email- 
address-domain TXT", creating a DNS entry at  
"<s=value>._domainkey.email-address-domain TXT" (which could point to  
a parent domain key using CNAME) represents only a minor effort.    
When it is too difficult to reference a key from the email-address  
domain, then don't make ADSP assertions at sub-domains intended to  
send and receive email.

Here is one more attempt at redefining section 2.7.
,----
A valid first party signature or "Author Domain Signature" is a Valid  
Signature where the domain name in the DKIM signing domain (SDID) is  
the same as the Author Domain.

Any sub-domain included within the i= value (AUID) will not affect  
ADSP compliance.  Only email-address domains that reference the DKIM  
key can comply with ADSP assertions.
'----

-Doug



_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>