ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] ADSP Informative Note on parent domain signing

2009-04-13 12:45:40
from [Douglas Otis] [Permanent Link] 

On Apr 13, 2009, at 6:04 AM, Jim Fenton wrote:


Consider a domain that uses sub-domains for their mailing-lists  
that are signed using Parent Domain Signing.  Even when a parent  
domain has ADSP assertions of either an "all" or "discardable",  
users can still participate in these mailing-lists using Parent  
Domain Signing and be compliant with ADSP.  Compliance can not be  
defined in terms of Parent Domain Signing, since the i= value can  
contain sub-domains.


I don't understand what "users can participate in these mailing- 
lists using Parent Domain Signing" means.  A signature applied by a  
mailing list would be an Author Domain Signature, except in the  
special case where the domain of the mailing list signature happens  
to be the same as that of the author.  It's possible to avoid this  
special case by having the mailing list domain be different from  
that of any author, and one way to do that is to give the mailing  
list(s) a separate subdomain.  But that doesn't have anything to do  
with the caution about Parent Domain Signing.


A parent domain signature applied by the mailing-list might look as  
follows:

_adsp._domainkey.example.com TXT "dkim=discardable"

From: jon(_dot_)doe(_at_)example(_dot_)com
DKIM-Signature: i=list-subject(_at_)mail-list-ns(_dot_)example(_dot_)com;  
d=example.com; ...

When evaluating ADSP, this type of "Parent Domain Signature" is still  
compliant.  Users of "example.com" can participate in 
"list-subject(_at_)mail-list-ns(_dot_)example(_dot_)com 
" without special signatures being needed.

The domain might also use sub-domains as their means to tokenize on- 
behalf-of entities.

A parent domain signature applied for tokenized entities might look as  
follows:

From: jon(_dot_)doe(_at_)example(_dot_)com
DKIM-Signature: i=radius-value(_at_)radius-ns(_dot_)example(_dot_)com; 
d=example.com; ...

When evaluating ADSP, this type of "Parent Domain Signature" is also  
still compliant.  A caution must not refer to i= values or parent  
domain signing.  The caution should be limited to ensuring the signing  
domain and the email-address domain be the same.  "Parent Domain  
Signing" is ONLY about the i= value, where the i= value is ignored for  
ADSP compliance.

-Doug





_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] ADSP Informative Note on parent domain signing, Douglas Otis
Next by Date:  Re: [ietf-dkim] ADSP Informative Note on parent domain signing, Hector Santos
Previous by Thread:  Re: [ietf-dkim] ADSP Informative Note on parent domain signing, Douglas Otis
Next by Thread:  Re: [ietf-dkim] ADSP Informative Note on parent domain signing, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]