IETF Logo Mail Archive

Re: [ietf-dkim] A more fundamental SSP axiom

Michael Thomas <mike@mtcc.com> Fri, 04 August 2006 21:42 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G97R1-0002xR-R9 for ietf-dkim-archive@lists.ietf.org; Fri, 04 Aug 2006 17:42:23 -0400
Received: from sb7.songbird.com ([208.184.79.137]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G97HX-0000jn-OM for ietf-dkim-archive@lists.ietf.org; Fri, 04 Aug 2006 17:32:37 -0400
Received: from sb7.songbird.com (sb7.songbird.com [127.0.0.1]) by sb7.songbird.com (8.12.11.20060308/8.12.11) with ESMTP id k74LQiFa023395; Fri, 4 Aug 2006 14:26:44 -0700
Received: from fasolt.mtcc.com (adsl-216-102-208-10.dsl.snfc21.pacbell.net [216.102.208.10]) by sb7.songbird.com (8.12.11.20060308/8.12.11) with ESMTP id k74LQYpR023370 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-dkim@mipassoc.org>; Fri, 4 Aug 2006 14:26:34 -0700
DKIM-Signature: v=0.4; a=rsa-sha256; q=dns/txt; l=2370; t=1154726765; x=11 55590765; c=relaxed/simple; s=dicks.drop.kirkwood; h=Content-Type:From:Subj ect:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z= From:=20Michael=20Thomas=20<mike@mtcc.com>|Subject:=20Re=3A=20[ietf-dkim]=2 0A=20more=20fundamental=20SSP=20axiom|Sender:=20|To:=20Damon=20<deepvoice@g mail.com>|Cc:=20Douglas=20Otis=20<dotis@mail-abuse.org>, =20=0A=20DKIM=20Lis t=20<ie tf-dkim@mipassoc.org>|Content-Transfer-Encoding:=207bit|MIME-Version:=201 .0|Content-Type:=20text/plain=3B=20charset=3DUTF-8=3B=20format=3Dflowed; bh =75iaT16WjpzCeJZLmReb9ZzweHirqg7y31zXcV+o8zQ=; b=r96QNpScy/lYDw4FLxstlR8Uf+iwr4pN0Ozxp7PkjniT1ANCq92APpSXIkVrU5E1LnEFoAUD xHo0/fUA+kBqkwFP6nQZUZy9ujS134oi3bfzPE1jwHL+SNLABHxXNGkr;
DKIM-Signature: a=rsa-sha1; q=dns; l=2370; t=1154726765; x=1155590765; c=r elaxed/simple; s=dicks.drop.kirkwood; h=Content-Type:From:Subject:Content-T ransfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:Michael= 20Thomas=20<mike@mtcc.com>|Subject:Re=3A=20[ietf-dkim]=20A=20more=20fundame ntal=20SSP=20axiom|Sender:|To:Damon=20<deepvoice@gmail.com>|Cc:Douglas=20Ot is=20<dotis@mail-abuse.org>,=20=0A=20DKIM=20List=20<ie tf-dkim@mipassoc.org>|Content-Transfer-Encoding:7bit|MIME-Version:1.0|Con tent-Type:text/plain=3B=20charset=3DUTF-8=3B=20format=3Dflowed; X=v=3Dcisco .com=3B=20h=3D9J+1R8q3OVg0TDo2cZEg7LPE+qc=3D; b=jwtgZ3NtbmbYCHh1swCJNwoYpZHX5D2E+hmYviGpI+uLEYzUEeGFQoU9+UAWjtKR9TRNu4hi q8Ci8Brbnco6H4qf/ubf0lULCnLVWAoT5uUHo4Iv+ix75P9Gl6j5j5aZ;
Received: from [192.168.0.102] (sj-natpool-220.cisco.com [128.107.248.220]) (authenticated bits=0) by fasolt.mtcc.com (8.13.6/8.13.1) with ESMTP id k74LQ3EG005873 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 4 Aug 2006 14:26:04 -0700
Message-ID: <44D3BB65.20702@mtcc.com>
Date: Fri, 04 Aug 2006 14:25:57 -0700
From: Michael Thomas <mike@mtcc.com>
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; rv:1.7.3) Gecko/20040913 Thunderbird/0.8 Mnenhy/0.7.2.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Damon <deepvoice@gmail.com>
Subject: Re: [ietf-dkim] A more fundamental SSP axiom
References: <20060802002353.U59653@simone.iecc.com> <44D36203.2060803@mtcc.com> <20060804112731.I21459@simone.iecc.com> <44D36B4A.2050903@mtcc.com> <20060804114527.Y27352@simone.iecc.com> <44D37376.4020408@mtcc.com> <20060804132203.Y49810@simone.iecc.com> <EAF17954-74A3-4374-A059-B31A1414B350@mail-abuse.org> <62146370608041122t779d200h1b29a659ac8ad612@mail.gmail.com> <44D3B49D.9090800@mtcc.com> <62146370608041406i74f707ffgf708bafe87784d97@mail.gmail.com>
In-Reply-To: <62146370608041406i74f707ffgf708bafe87784d97@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Authentication-Results: fasolt.mtcc.com; header.From=mike@mtcc.com; dkim=pass ( sig from mtcc.com/dicks.drop.kirkwood verified; ); header.From=mike@mtcc.com; dkim=pass ( sig from mtcc.com/dicks.drop.kirkwood verified; );
X-XIPE-SCORES: dispose=pass; ACD=1.00; CLAM=0.00; COMPLY=0.00; URL=0.00; SA=0.00; HONEY=0.00;
X-Songbird: Clean, Clean
Cc: DKIM List <ietf-dkim@mipassoc.org>
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Sender: ietf-dkim-bounces@mipassoc.org
Errors-To: ietf-dkim-bounces@mipassoc.org
X-SongbirdInformation: support@songbird.com for more information
X-Songbird-From: ietf-dkim-bounces@mipassoc.org
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 4b800b1eab964a31702fa68f1ff0e955

Damon wrote:

>> >> "SIGN ALL MAIL"
>> >>
>> >
>> > We _dont_ really really mean it.
>>
>> You and others seem to be having a big problem differentiating between
>> signing and verifying. I can make a perfectly valid statement that I
>> sign all of my mail. There is no guarantee that it will survive intact.
>> Period. Once it's left my domain, I have no control of what 
>> intermediaries
>> do. This is a fact of life, and no amount of glib dismissals or fanciful
>> reinterpretations of that true statement says alters that.
>>
>>       Mike
>>
> Mike,
>
> You are absolutely and positively correct and _that_ is my problem.
> "Sign all mail" is a pipe dream (as you have stated) unless you have
> utter control over where it goes and how it gets there.

No. *Verifying* all mail that was once upon a time correct will be
a long time a coming.

> So what is the
> point of saying "Sign All" unless you can and ensure it gets there
> intact?

Nobody can once it's outside of your control. I can make a statement
about what I do though, and a receiving piece of software might
be able to make use of that (nb, not the postmaster) as an input
function to all of the rest of the things it considers.

> Which causes me to repeat myself... Treat everyone default as
> "Sometimes Sign" and only set "Sign All" only if you really really
> mean it - and are willing to deal with the consequences. Isn't that
> what is really going to be happening anyway?

Not necessarily. It's not hard to envision a piece of software that
knows that something that ought to be signed needs differnt treatment.
Consider the current dkim policies:

o=~  (sign some)
o=!; t=y;   (sign all, but testing)
o=!; t=n;   (sign all, not testing)

In spamassassin terms,  I might assign:

SSPPOLICY_SIGNSOME 0
SSPPOLICY_SIGNALLTESTING 2
SSPPOLICY_SIGNALLNOTTESTING 10

In the first case, they're telling me to not bother with DKIM because it 
will
be unreliable. In the second case, the signing domain saying that they sign
everything means that there's clearly something amiss and that it would be
good to bias it toward rejection. The third case is the signing domain 
saying
that they'd rather it fail than be accepted.

Thus there really is the potential for a receiver to make use of the two 
flavors
of  SIGN ALL.

       Mike
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

v2.23.0 | Report a Bug | By Email