IETF Logo Mail Archive

Re: [ietf-dkim] ADSP Informative Note on parent domain signing

Jim Fenton <fenton@cisco.com> Tue, 07 April 2009 22:04 UTC

Return-Path: <ietf-dkim-bounces@mipassoc.org>
X-Original-To: ietfarch-ietf-dkim-archive@core3.amsl.com
Delivered-To: ietfarch-ietf-dkim-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3799B3A6E0B for <ietfarch-ietf-dkim-archive@core3.amsl.com>; Tue, 7 Apr 2009 15:04:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.52
X-Spam-Level:
X-Spam-Status: No, score=-6.52 tagged_above=-999 required=5 tests=[AWL=0.079, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jYM1HLaUUzJt for <ietfarch-ietf-dkim-archive@core3.amsl.com>; Tue, 7 Apr 2009 15:04:13 -0700 (PDT)
Received: from sbh17.songbird.com (mail.mipassoc.org [IPv6:2001:470:1:76:0:ffff:4834:7146]) by core3.amsl.com (Postfix) with ESMTP id 7007A3A6A42 for <ietf-dkim-archive@ietf.org>; Tue, 7 Apr 2009 15:04:12 -0700 (PDT)
Received: from sbh17.songbird.com (sbh17.songbird.com [127.0.0.1]) by sbh17.songbird.com (8.13.8/8.13.8) with ESMTP id n37M4Enr022406; Tue, 7 Apr 2009 15:04:20 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=mipassoc.org; s=k00001; t=1239141863; bh=L0k8rR6Dyk1QhfN4OmC1u2vVLPM=; h=Message-ID:Date: From:MIME-Version:To:References:In-Reply-To:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Content-Type:Content-Transfer-Encoding:Sender; b=kIpr/aHVn7Pdxjdv1 R/6aXz2t3BZ5i3jAShwKPZuO55+kldPycCrdAvOmPuVGaDYIIYK2JPwICizO4KVN0Yy w5g/CWXkEDUNu5wXJDaGSCv15StGeTdojuvfMFHbU6VFqhWtsEAxAaFs92ysaLGlo1C +9pCoWbhqzl0d9pyMvjc=
Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by sbh17.songbird.com (8.13.8/8.13.8) with ESMTP id n37M1n5g022310 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=FAIL) for <ietf-dkim@mipassoc.org>; Tue, 7 Apr 2009 15:01:54 -0700
Authentication-Results: sbh17.songbird.com; dkim=pass (768-bit key) header.i=fenton@cisco.com
X-IronPort-AV: E=Sophos;i="4.39,339,1235952000"; d="scan'208";a="151371142"
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-3.cisco.com with ESMTP; 07 Apr 2009 21:28:11 +0000
Received: from sj-core-4.cisco.com (sj-core-4.cisco.com [171.68.223.138]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id n37LSBC4009048; Tue, 7 Apr 2009 14:28:11 -0700
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-4.cisco.com (8.13.8/8.13.8) with ESMTP id n37LSA7g020839; Tue, 7 Apr 2009 21:28:11 GMT
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 7 Apr 2009 14:28:10 -0700
Received: from dhcp-171-71-97-185.cisco.com ([171.71.97.185]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 7 Apr 2009 14:28:10 -0700
Message-ID: <49DBC56A.2090104@cisco.com>
Date: Tue, 07 Apr 2009 14:28:10 -0700
From: Jim Fenton <fenton@cisco.com>
User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302)
MIME-Version: 1.0
To: "Siegel, Ellen" <esiegel@constantcontact.com>
References: <49DA9211.7050001@cisco.com> <A4E596E1F52A4D41AB86998A716DC90E265E0F8839@c1-exchmb01.roving.com>
In-Reply-To: <A4E596E1F52A4D41AB86998A716DC90E265E0F8839@c1-exchmb01.roving.com>
X-Enigmail-Version: 0.95.7
X-OriginalArrivalTime: 07 Apr 2009 21:28:10.0283 (UTC) FILETIME=[BFE87FB0:01C9B7C7]
Authentication-Results: sj-dkim-3; header.From=fenton@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0 (sbh17.songbird.com [127.0.0.1]); Tue, 07 Apr 2009 15:04:23 -0700 (PDT)
X-Greylist: Delayed for 00:33:38 by milter-greylist-4.0 (sbh17.songbird.com [72.52.113.70]); Tue, 07 Apr 2009 15:01:54 -0700 (PDT)
Cc: IETF DKIM WG <ietf-dkim@mipassoc.org>
Subject: Re: [ietf-dkim] ADSP Informative Note on parent domain signing
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-dkim-bounces@mipassoc.org
Errors-To: ietf-dkim-bounces@mipassoc.org

Siegel, Ellen wrote:
>> There remains some disagreement on whether the "informative note"
>> contained in the last paragraph of the text I proposed on March 27
>> should appear in the ADSP draft.  The note said:
>>
>>     
>>> Informative Note:  ADSP is incompatible with DKIM signing by parent
>>> domains described in section 3.8 of [RFC4871] in which a signer uses
>>> "i=" to assert that a parent domain is signing for a subdomain.
>>>
>>>       
>> This would replace the Note in draft-ietf-dkim-ssp-09, section 2.7.
>>
>> Thus far, I feel it should be included and John Levine and Dave Crocker
>> feel it shouldn't.  May we have guidance from others in the Working
>> Group, please?
>>
>>     
>
> [> ] 
>
> I think it may be the "incompatible" that's causing the disagreement. ADSP is not incompatible with that signing configuration, it would just require that a second signature be added. 
>
> Maybe something more like the following?
>
> "ADSP should not be used for domains that use "i=" values to enable a parent domain to sign for a subdomain (as described in section 3.8 of [RFC4871]) unless an additional signature where the "d=" domain matches the "i=" domain is added."
>   

Good thought, but since parent domain signing is largely to simplify key
management (so that the public keys don't need to be published in each
subdomain), it's not necessary to apply a parent domain signature if a
signature where the d= value matches the actual From domain is also applied.

But you're right, "incompatible" may be a little harsh; I just followed
John Levine's wording in -09.  How about:

Informative Note:  DKIM signatures by parent domains as described in section 3.8 of [RFC4871] (in which a signer uses "i=" to assert that it is signing for a subdomain) do not satisfy the requirements for an Author Domain Signature as defined above.

-Jim


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

v2.23.0 | Report a Bug | By Email