> -----Original Message----- > From: Jim Fenton [mailto:fen...@cisco.com] > Sent: Tuesday, January 06, 2009 6:10 PM > To: MH Michael Hammer (5304) > Cc: John L; ietf-dkim@mipassoc.org > Subject: Re: [ietf-dkim] Next steps for draft-ietf-dkim-ssp > > It really applies to the implementation of the checker, and not to the > publication of ADSP records. > > At the risk of repeating myself, here's an example of when it's > important. Suppose the ietf.org mailing list manager signs its mail > using i=i...@ietf.org. The IETF Chair sends a message to the list, > using From: <ch...@ietf.org>. I contend it would be bad for the mailing > list manager signature to be confused with an author signature. >
But in terms of the receiving domain checking, why would they make a distinction from an ADSP perspective? The question at hand is whether all email from a particular (sub) domain is signed. If a domain is making this type of assertion, then it is looking at ietf.org and shouldn't really care whether the user is chair@ or i...@. If you are asserting that one might be signed and the other not then I think there is an issue. If you assert that both are signed but the signatures might be different (within the same domain but with different selectors for example then I'm going to say fine because if ietf.org asserts it signs all mail then it still works. It is the domain that is important, not the user part for the all assertion. > This example involves the use of local-parts, but one could also come up > with (somewhat more contrived) examples where the mailing list manager > is at lists.example.com and some users are at users.example.com. If the > keys are published in the example.com domain (d=example.com) and i= > isn't being used, it isn't possible to distinguish author signatures and > list signatures. > Distinguish to what purpose Jim? Either they are signed or they aren't signed from an ADSP perspective. If distinguishing at this granularity is important then publish ADSP for lists.example.com/DKIM sign for that domain (d=) and publish ADSP for users.example.com/DKIM sign for that domain (d=). The author signatures are clearly distinguished from the list signatures. Mike _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html