IETF Logo Mail Archive

Re: [ietf-dkim] ADSP Informative Note on parent domain signing

Jim Fenton <fenton@cisco.com> Tue, 07 April 2009 18:54 UTC

Return-Path: <ietf-dkim-bounces@mipassoc.org>
X-Original-To: ietfarch-ietf-dkim-archive@core3.amsl.com
Delivered-To: ietfarch-ietf-dkim-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 14E083A69D2 for <ietfarch-ietf-dkim-archive@core3.amsl.com>; Tue, 7 Apr 2009 11:54:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.516
X-Spam-Level:
X-Spam-Status: No, score=-6.516 tagged_above=-999 required=5 tests=[AWL=0.083, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hopLgF1X8lxH for <ietfarch-ietf-dkim-archive@core3.amsl.com>; Tue, 7 Apr 2009 11:54:29 -0700 (PDT)
Received: from sbh17.songbird.com (mail.mipassoc.org [IPv6:2001:470:1:76:0:ffff:4834:7146]) by core3.amsl.com (Postfix) with ESMTP id 5C2803A6CB9 for <ietf-dkim-archive@ietf.org>; Tue, 7 Apr 2009 11:54:28 -0700 (PDT)
Received: from sbh17.songbird.com (sbh17.songbird.com [127.0.0.1]) by sbh17.songbird.com (8.13.8/8.13.8) with ESMTP id n37Irojs014527; Tue, 7 Apr 2009 11:53:56 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=mipassoc.org; s=k00001; t=1239130440; bh=sYEr47K+FhwZNVl9kZveZjVzHzw=; h=Message-ID:Date: From:MIME-Version:To:References:In-Reply-To:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Content-Type:Content-Transfer-Encoding:Sender; b=EBprMVi5U7HtTnKqI DUA8acxqZD6cBfg2+1WT4HXqga8vKtJpZl4qt6DgpzwiAdv/HWMAN2bRWsKBJR0nNFA 9dm0oCLdUW7gaMY3FoJwYY+xGthe4xNrR/cJ8N87DJopP7tp5dROTulBRaAQ6hQmrp4 9ToN29hDQEwM+rER/gWE=
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by sbh17.songbird.com (8.13.8/8.13.8) with ESMTP id n37IrgKi014516 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=FAIL) for <ietf-dkim@mipassoc.org>; Tue, 7 Apr 2009 11:53:47 -0700
Authentication-Results: sbh17.songbird.com; dkim=pass (1024-bit key) header.i=fenton@cisco.com
X-IronPort-AV: E=Sophos;i="4.39,338,1235952000"; d="scan'208";a="168208959"
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-1.cisco.com with ESMTP; 07 Apr 2009 18:53:40 +0000
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n37Ire5w004556; Tue, 7 Apr 2009 11:53:40 -0700
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id n37IreRY009925; Tue, 7 Apr 2009 18:53:40 GMT
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 7 Apr 2009 11:53:40 -0700
Received: from dhcp-171-71-97-185.cisco.com ([171.71.97.185]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 7 Apr 2009 11:53:39 -0700
Message-ID: <49DBA131.10804@cisco.com>
Date: Tue, 07 Apr 2009 11:53:37 -0700
From: Jim Fenton <fenton@cisco.com>
User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302)
MIME-Version: 1.0
To: Hector Santos <hsantos@santronics.com>
References: <49DA9211.7050001@cisco.com> <49DAA0AD.3010407@santronics.com>
In-Reply-To: <49DAA0AD.3010407@santronics.com>
X-Enigmail-Version: 0.95.7
X-OriginalArrivalTime: 07 Apr 2009 18:53:39.0744 (UTC) FILETIME=[2A3C8200:01C9B7B2]
Authentication-Results: sj-dkim-1; header.From=fenton@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0 (sbh17.songbird.com [127.0.0.1]); Tue, 07 Apr 2009 11:54:00 -0700 (PDT)
X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.0 (sbh17.songbird.com [72.52.113.70]); Tue, 07 Apr 2009 11:53:47 -0700 (PDT)
Cc: IETF DKIM WG <ietf-dkim@mipassoc.org>
Subject: Re: [ietf-dkim] ADSP Informative Note on parent domain signing
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-dkim-bounces@mipassoc.org
Errors-To: ietf-dkim-bounces@mipassoc.org

Hector Santos wrote:
> Jim Fenton wrote:
>> There remains some disagreement on whether the "informative note"
>> contained in the last paragraph of the text I proposed on March 27
>> should appear in the ADSP draft.  The note said:
>>
>>> Informative Note:  ADSP is incompatible with DKIM signing by parent
>>> domains described in section 3.8 of [RFC4871] in which a signer uses
>>> "i=" to assert that a parent domain is signing for a subdomain.
>>>   
>> This would replace the Note in draft-ietf-dkim-ssp-09, section 2.7.
>>
>> Thus far, I feel it should be included and John Levine and Dave Crocker
>> feel it shouldn't.  May we have guidance from others in the Working
>> Group, please?
>
> My input:
>
> Maybe I don't quite see the issues, but I've been doing more testing
> later to see how this is all going to fit, and there seems to be a
> need to deal with issues for the high potential cases:
>
> 1) same primary domain name spaces
>
>     From: user @ subdomain.primary-domain.com
>     DKIM-Signature:  d=primary-domain.com
>
>     or
>
>     From: user @ primary-domain.com
>     DKIM-Signature:  d=subdomain.primary-domain.com
>
> 2) "3rd party" or non-author domain name space
>
>     From: user @ primary-domain.com
>     DKIM-Signature:  d=some-other-domain.com
>
> As far as the i= is concern, as long as the h= binds the From: header
> (as it must per 4871) the i= appears to me as an "extra" bit of
> information that is not required for DKIM 4871 verification.
>
> Lacking applications for usage, I don't see how i= "helps".  I think I
> understand some people want to use it as feed to some future or
> current trust service in the works.  But I see that as gravy information.

Since there is indeed no defined application for the i= value, "gravy
information" is not a bad description.  Nevertheless, Section 3.8 of RFC
4871 says that it's possible to sign messages where the domain part of
the i= value is a subdomain of the d= value, which of course it is.  But
since such a signature won't serve as an Author Domain Signature in ADSP
(when the From address is in the subdomain), I think it's important that
the ADSP specification point that out.

-Jim


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

v2.23.0 | Report a Bug | By Email