IETF Logo Mail Archive

RE: [ietf-dkim] A more fundamental SSP axiom

"Hallam-Baker, Phillip" <pbaker@verisign.com> Fri, 04 August 2006 19:37 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G95UA-00009v-Ui for ietf-dkim-archive@lists.ietf.org; Fri, 04 Aug 2006 15:37:30 -0400
Received: from sb7.songbird.com ([208.184.79.137]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G95U9-0000s1-GX for ietf-dkim-archive@lists.ietf.org; Fri, 04 Aug 2006 15:37:30 -0400
Received: from sb7.songbird.com (sb7.songbird.com [127.0.0.1]) by sb7.songbird.com (8.12.11.20060308/8.12.11) with ESMTP id k74JabgB008839; Fri, 4 Aug 2006 12:36:38 -0700
Received: from robin.verisign.com (robin.verisign.com [65.205.251.75]) by sb7.songbird.com (8.12.11.20060308/8.12.11) with ESMTP id k74JaLMR008744 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <ietf-dkim@mipassoc.org>; Fri, 4 Aug 2006 12:36:21 -0700
Received: from mou1wnexcn01.vcorp.ad.vrsn.com (mailer1.verisign.com [65.205.251.34]) by robin.verisign.com (8.13.6/8.13.4) with ESMTP id k74JZopK011040; Fri, 4 Aug 2006 12:35:50 -0700
Received: from MOU1WNEXMB04.vcorp.ad.vrsn.com ([10.25.13.157]) by mou1wnexcn01.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 4 Aug 2006 12:35:50 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Subject: RE: [ietf-dkim] A more fundamental SSP axiom
Date: Fri, 04 Aug 2006 12:35:48 -0700
Message-ID: <198A730C2044DE4A96749D13E167AD37C6699C@MOU1WNEXMB04.vcorp.ad.vrsn.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [ietf-dkim] A more fundamental SSP axiom
Thread-Index: Aca37E+Dvy5jds38QdqeopYqJ4WyRwADc6Cw
From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
To: John L <johnl@iecc.com>, Michael Thomas <mike@mtcc.com>
X-OriginalArrivalTime: 04 Aug 2006 19:35:50.0898 (UTC) FILETIME=[31563520:01C6B7FD]
X-Songbird: Clean, Clean
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by sb7.songbird.com id k74JaLMR008744
Cc: DKIM List <ietf-dkim@mipassoc.org>
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Sender: ietf-dkim-bounces@mipassoc.org
Errors-To: ietf-dkim-bounces@mipassoc.org
X-SongbirdInformation: support@songbird.com for more information
X-Songbird-From: ietf-dkim-bounces@mipassoc.org
X-Spam-Score: 0.1 (/)
X-Scan-Signature: f4c2cf0bccc868e4cc88dace71fb3f44

> [mailto:ietf-dkim-bounces@mipassoc.org] On Behalf Of John L

> > That's the problem: if you do that, domains like Cisco -- 
> or anybody 
> > else who uses mailing lists -- will *never* publish a "we sign 
> > everything" policy even though we do.
> 
> And that's a problem because ... ?  There are all sorts of 
> true statements that you can make about your outgoing mail, 
> almost none of which are of any use to anyone else.  This 
> appears to be one of them.
> 
> > 0: "mail from this domain may transit manglers, adjust accordingly"
> 
> That's not a bit, that's a fact of life.  None of us have any 
> idea what paths our mail might take on its way through the 
> mail morass.

I agree with John here. Every email message can be mangled.

However senders can control mangling on their outbound path and receivers can control mangling on their inbound path. The only case when meesages get mangled that is beyond the control of deployments is mailing lists.

It may make sense for Cisco to state 'lots of our mail goes through mailing lists, be advised' but the care value stuff is confused in my view.

If a policy of that type is going to have any utility at all it would be restricted to specific signers, possibly to specific signatures.


Now I don't suggest we do this at this point but consider the following:

Policy is:

     ALWAYS-PRESENT REPORT(EESP, EESP.cisco.com)

That is signature is always present, if you see an error report it via a  yet to be developed protocol EESP.

Two key records are used to sign messages:

Record1: Is used for mail that is expected to go through successfully
Record2: Has a 'loose' flag on it to warn that this mail may well fail.

The decision to use record 1 or record 2 is made by the signer on the basis of the feedback from the EESP system. That should identify the mailing lists that mangle mail in a reasonably short time provided that there is at least one person on the list who supports EESP reporting.


The point is that the idea of applying any numeric description to the mail from a domain like Cisco.com strikes me as far to general to have operational value.

The reactive scheme I describe is capable of tracking differences.

The key records are part of the policy system. If you want to give the verifier information on how to react to a failed signature this should be done in the most specific context that is available, in this case the key record for which the signature failed.


It is arguable that the reporting function for failed signatures should likewise apply to the key record rather than the generic policy record.



_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

v2.23.0 | Report a Bug | By Email