ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] DKIM charter update proposal

2009-10-03 08:36:27
from [hector] [Permanent Link] 
Franck,

Let me clarify that if your system was checking the ADSP record and 
"skipping" or avoid 3rd party signing of domains with 
DKIM=DISCARD|ALL, then IMO, your system would be protocol consistent 
and behaving correctly.

Blind resigning could cause problems, such as:

1) Receivers rejecting DKIM=DISCARD|ALL author domains with 3rd party
    signatures.

2) Create negative reputation on the 3rd party signer for perpetuating
    continued sending of 1st party ADSP failures.

3) Potentially create a membership removal for continued failure
    at the recipient mail host by not accepting list signed
    distributions.

To mitigate #3, receiver software SHOULD NOT issue a SMTP LEVEL 
negative reply code (45z, 55z) and under ADSP failures, SHOULD
accept the message and silently DISCARD the message as allowed
by RFC 5321 and RFC 5617.  This will resolve issue #3 and also
minimize back scattering.

#2 is still a risk for 3rd party signers if they ignore RFC 5617.

--



hector wrote:



Franck Martin wrote:


I do not see where is the issue? I 3rd party sign emails and I have not 
faced any problems with that (Am I missing something?) The providers
that check DKIM all include a dkim=pass in the mail headers.


Franck,

Thats because receivers have yet to support and honor RFC 5617 (ADSP). 
Once they do,  your 3rd party signing of domains with ADSP 
DKIM=DISCARD|ALL are subject to mail rejection/discard at receivers.

RFC 5617 says:

     all       All mail from the domain is signed with an Author
               Domain Signature.

     discardable
               All mail from the domain is signed with an
               Author Domain Signature.  Furthermore, if a
               message arrives without a valid Author Domain
               Signature due to modification in transit,
               submission via a path without access to a
               signing key, or any other reason, the domain
               encourages the recipient(s) to discard it.

What Bill is referring to is the "3rd party Policies" that was part of 
the original SSP specification but pulled for ADSP.

SSP include a "concept" that allowed 3rd party signatures, however, the 
complexity was how do we control (authorize) the 3rd party signer.

In other words, how to we tell the world that 1st party domain 
"santronics.com" allows 3rd party signer domain "genuis.com" to sign 
mail on the behalf of santronics.com.

The proposals were to provide a LIST "somwhere" like in the POLICY 
record.  The draft DSAP proposal offered this feature.  The issue with 
that is how big can that list be.

-- 
HLS



_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] DKIM charter update proposal, hector
Next by Date:  Re: [ietf-dkim] DKIM charter update proposal, Steve Atkins
Previous by Thread:  Re: [ietf-dkim] DKIM charter update proposal, hector
Next by Thread:  Re: [ietf-dkim] DKIM charter update proposal, Steve Atkins
Indexes:  [Date] [Thread] [Top] [All Lists]