On Oct 22, 2013, at 2:21 PM, Viktor Dukhovni wrote: > On Tue, Oct 22, 2013 at 01:56:25PM -0400, Scott Rose wrote: > >> We submitted an Internet-Draft on using a new DNS RRType to signal >> that all email coming from the domain will be signed (proposed type >> is called SMIMELOCK). So that when a client receives an email that >> lacks a SMIME signature from a domain with the SMIMELOCK RR, it >> could be marked as suspect. The draft is at: >> https://datatracker.ietf.org/doc/draft-srose-smimelock/ > > Since the intended target of this record is the MUA, how do you > propose to deal with "saved" email (that is email that did not > "just arrive")? What happens when a message is first retrieved by > the MUA from an IMAP server long after it is delivered to the > mailbox? > > Does the policy apply to the: > > - Envelope sender domain? > > - RFC2822.From domain? > > - RFC2822.Sender domain? > > - DKIM signer domain? > > What is the interaction with "Resent-From" and/or "Resent-Sender"? > > What is the treatment of mail sent to a public list (and modified > by the list adding a footer, ...)? >
Admittedly we're still working on it. I envision it mostly being used for domains that do transactional email, where one person sends it. It would only be used on receipt of mail, so no check should be done on saved mail. The policy would apply (most likely) to the RFC2822 From domain, since that is the entity likely to be the one vouching for the message by the signature. > I think the value of this effort will be marginal at best. There > are I think too many corner cases to make the "all" value practically > reliable. There's not much point in "partial" or "none". > "Partial" is only useful in advertising a interim state before going to "all". "none" doesn't mean much, but could be interpreted as the domain does not issue mail certs, so any signatures seen are from certs issued someone else (not the domain holder). How the MUA interprets that is local policy. > Problem areas: > > Outsourced email marketing, > Outsourced Benefits providers, > Public mailing lists, > Resent mail, > Stored mail, > ... > Admittedly, outsourced marketing is a problem. The main driver is entities (mostly governments, but others as well) are looking for a way to signal that all outgoing mail from a given domain will be signed. G2G and G2C are our main targets. Scott > -- > Viktor. > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
