IETF Logo Mail Archive

Re: [ietf-dkim] Tracing SSP's paradigm change

Jim Fenton <fenton@cisco.com> Tue, 04 December 2007 22:31 UTC

Return-path: <ietf-dkim-bounces@mipassoc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IzgIq-0004eV-1X for ietf-dkim-archive@lists.ietf.org; Tue, 04 Dec 2007 17:31:44 -0500
Received: from mail.songbird.com ([208.184.79.10]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IzgIp-0001bn-Ha for ietf-dkim-archive@lists.ietf.org; Tue, 04 Dec 2007 17:31:44 -0500
Received: from mail.songbird.com (sb7.songbird.com [127.0.0.1]) by mail.songbird.com (8.12.11.20060308/8.12.11) with ESMTP id lB4MT5bf026084; Tue, 4 Dec 2007 14:29:06 -0800
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by mail.songbird.com (8.12.11.20060308/8.12.11) with ESMTP id lB4MT3GM026069 for <ietf-dkim@mipassoc.org>; Tue, 4 Dec 2007 14:29:03 -0800
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-6.cisco.com with ESMTP; 04 Dec 2007 14:29:27 -0800
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id lB4MTRw4030950; Tue, 4 Dec 2007 14:29:27 -0800
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id lB4MTH23013385; Tue, 4 Dec 2007 22:29:27 GMT
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 4 Dec 2007 14:29:19 -0800
Received: from dhcp-4066.ietf70.org ([10.21.87.89]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 4 Dec 2007 14:29:19 -0800
Message-ID: <4755D4B8.8060807@cisco.com>
Date: Tue, 04 Dec 2007 14:29:12 -0800
From: Jim Fenton <fenton@cisco.com>
User-Agent: Thunderbird 2.0.0.9 (Macintosh/20071031)
MIME-Version: 1.0
To: dcrocker@bbiw.net
Subject: Re: [ietf-dkim] Tracing SSP's paradigm change
References: <47549320.9000307@dcrocker.net> <475585A2.8040600@mtcc.com> <4755D0D4.4000005@dcrocker.net>
In-Reply-To: <4755D0D4.4000005@dcrocker.net>
X-Enigmail-Version: 0.95.5
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 04 Dec 2007 22:29:19.0560 (UTC) FILETIME=[1C8E3C80:01C836C5]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1615; t=1196807367; x=1197671367; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=fenton@cisco.com; z=From:=20Jim=20Fenton=20<fenton@cisco.com> |Subject:=20Re=3A=20[ietf-dkim]=20Tracing=20SSP's=20paradigm=20change |Sender:=20; bh=cT7Em203082Ld/z+QTqJCIfXdeWykRlSdt3LYi9Lds4=; b=bRLweQV6L0fY4TclsmBwRQvlYY//U7B5dmGZhhJVp5zeb6vABJPTEquihe/e0WJJ5GxoHNon N1UCM11DPKOkZtm2FDcOq+BMdbqIolkUyH62eCuqNqrITdDPtEQYZiphdfLNDvQeZ1Wff5Fv9D 9lOPO9SGKQk6jg+QY22smqMVk=;
Authentication-Results: sj-dkim-1; header.From=fenton@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Cc: DKIM IETF WG <ietf-dkim@mipassoc.org>, apps-review@ietf.org
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Sender: ietf-dkim-bounces@mipassoc.org
Errors-To: ietf-dkim-bounces@mipassoc.org
X-Spam-Score: -1.0 (-)
X-Scan-Signature: 769a46790fb42fbb0b0cc700c82f7081

Dave Crocker wrote:
>
>
> Michael Thomas wrote:
>> Dave Crocker wrote:
>>
>>> 3.  Scope and scale of query traffic
>>>
>>> SSP originally was constrained to apply only to unsigned mail.  The
>>> current specification applies to unsigned messages *and* signed
>>> messages
>>> where the DKIM i= domain name does not match the rfc2822.From
>>> <addr-spec>
>>>  domain.  This is a considerable change in the nature -- and
>>> potentially
>>> a considerable change in the amount of query traffic -- that SSP
>>> causes.
>>
>> This has not changed in years. Maybe you've just become aware of it. And
>> the problem here remains with unsigned traffic. Third party
>> signatures are
>> very rare beasts.
>
> The requirement to have i= match From domain was added between the -02
> and -03 versions, sometime during Fall 06 and Winter 07.
>
> On reviewing the working group archive, I have not succeeded in
> finding any discussion either of changing the SSP paradigm to apply to
> signed message or of the problematic selection of the rfc2822.From
> field, rather than rfc2822.Sender field domain.
>
> I recall making a point a number of times in the working group,
> verifying that the group agreed that SSP applied (only) to unsigned
> messages.


>From draft-allman-dkim-ssp-00.txt, dated July 9, 2005, section 1
paragraph 3:

   In the absence of a valid DKIM signature on behalf of the "From"
   address [RFC2822], the verifier of a message MUST determine whether
   messages from a particular sender are expected to be signed, and what
   signatures are acceptable.

-Jim
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

v2.23.0 | Report a Bug | By Email