IETF Logo Mail Archive

Re: [ietf-dkim] ADSP Informative Note on parent domain signing

Hector Santos <hsantos@santronics.com> Tue, 07 April 2009 00:39 UTC

Return-Path: <ietf-dkim-bounces@mipassoc.org>
X-Original-To: ietfarch-ietf-dkim-archive@core3.amsl.com
Delivered-To: ietfarch-ietf-dkim-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3DF753A6D31 for <ietfarch-ietf-dkim-archive@core3.amsl.com>; Mon, 6 Apr 2009 17:39:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.679
X-Spam-Level:
X-Spam-Status: No, score=-1.679 tagged_above=-999 required=5 tests=[AWL=0.056, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1NFW+frvFLPX for <ietfarch-ietf-dkim-archive@core3.amsl.com>; Mon, 6 Apr 2009 17:39:38 -0700 (PDT)
Received: from sbh17.songbird.com (mail.mipassoc.org [IPv6:2001:470:1:76:0:ffff:4834:7146]) by core3.amsl.com (Postfix) with ESMTP id B21D13A6D0F for <ietf-dkim-archive@ietf.org>; Mon, 6 Apr 2009 17:39:37 -0700 (PDT)
Received: from sbh17.songbird.com (sbh17.songbird.com [127.0.0.1]) by sbh17.songbird.com (8.13.8/8.13.8) with ESMTP id n370dMww007382; Mon, 6 Apr 2009 17:39:27 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=mipassoc.org; s=k00001; t=1239064768; bh=0K28ZAqp7YiWQ5VjeTj11IiQgtY=; h=Message-ID:Date: From:MIME-Version:To:References:In-Reply-To:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Content-Type:Content-Transfer-Encoding:Sender; b=VoycWhYGhl3TbRGVH nLsmfKdjSFeuzbD6IshaM8EVxO+OhcQKR20IAOJyIPgkou1rb1o+UzD/XdbZo9+vfgs VipZBdMCuT1Obw5f9kELZGU20miDSYNAmuIOY331+WGm1chaBt8ULqv4nhkYGebZOdT 0VANKd8nB7Sf4Na+l+0A=
Received: from winserver.com (ftp.catinthebox.net [208.247.131.9]) by sbh17.songbird.com (8.13.8/8.13.8) with ESMTP id n370dErj007376 for <ietf-dkim@mipassoc.org>; Mon, 6 Apr 2009 17:39:20 -0700
Received: by winserver.com (Wildcat! SMTP Router v6.3.452.7) for ietf-dkim@mipassoc.org; Mon, 06 Apr 2009 21:39:36 -0400
Received: from hdev1 ([74.225.4.23]) by winserver.com (Wildcat! SMTP v6.3.452.9) with ESMTP id 374112968; Mon, 06 Apr 2009 21:39:35 -0400
Message-ID: <49DAA0AD.3010407@santronics.com>
Date: Mon, 06 Apr 2009 20:39:09 -0400
From: Hector Santos <hsantos@santronics.com>
Organization: Santronics Software, Inc.
User-Agent: Thunderbird 2.0.0.0 (Windows/20070326)
MIME-Version: 1.0
To: Jim Fenton <fenton@cisco.com>
References: <49DA9211.7050001@cisco.com>
In-Reply-To: <49DA9211.7050001@cisco.com>
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0 (sbh17.songbird.com [127.0.0.1]); Mon, 06 Apr 2009 17:39:28 -0700 (PDT)
X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (sbh17.songbird.com [72.52.113.70]); Mon, 06 Apr 2009 17:39:20 -0700 (PDT)
Cc: IETF DKIM WG <ietf-dkim@mipassoc.org>
Subject: Re: [ietf-dkim] ADSP Informative Note on parent domain signing
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-dkim-bounces@mipassoc.org
Errors-To: ietf-dkim-bounces@mipassoc.org

Jim Fenton wrote:
> There remains some disagreement on whether the "informative note"
> contained in the last paragraph of the text I proposed on March 27
> should appear in the ADSP draft.  The note said:
> 
>> Informative Note:  ADSP is incompatible with DKIM signing by parent
>> domains described in section 3.8 of [RFC4871] in which a signer uses 
>> "i=" to assert that a parent domain is signing for a subdomain.
>>   
> This would replace the Note in draft-ietf-dkim-ssp-09, section 2.7.
> 
> Thus far, I feel it should be included and John Levine and Dave Crocker
> feel it shouldn't.  May we have guidance from others in the Working
> Group, please?

My input:

Maybe I don't quite see the issues, but I've been doing more testing 
later to see how this is all going to fit, and there seems to be a 
need to deal with issues for the high potential cases:

1) same primary domain name spaces

     From: user @ subdomain.primary-domain.com
     DKIM-Signature:  d=primary-domain.com

     or

     From: user @ primary-domain.com
     DKIM-Signature:  d=subdomain.primary-domain.com

2) "3rd party" or non-author domain name space

     From: user @ primary-domain.com
     DKIM-Signature:  d=some-other-domain.com

As far as the i= is concern, as long as the h= binds the From: header 
(as it must per 4871) the i= appears to me as an "extra" bit of 
information that is not required for DKIM 4871 verification.

Lacking applications for usage, I don't see how i= "helps".  I think I 
understand some people want to use it as feed to some future or 
current trust service in the works.  But I see that as gravy information.

If the "issue" relates to non-author domain signatures, then of 
course, I will always continue to believe we have neglected to resolve 
the 3rd party design issue from a "Fraud Protection" standpoint. Not 
the whitelisting part of that design, the blacklisting.  No one wants 
to hear that (at least here) and thats unfortunate because in all my 
engineering experience and logic tells me, that is will continue to be 
a thorn on (DKIM) side and in my view, the #1 threat to DKIM wide 
acceptance and adoption. I would think that would mean something to 
the marketing of DKIM. But thats me.

If the i= is suppose to address that Jim, then I will love to hear and 
understand it because currently I don't see how that helps.

-- 
Sincerely

Hector Santos
http://www.santronics.com


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

v2.23.0 | Report a Bug | By Email