MH Michael Hammer (5304) wrote: > > If ietf.org is willing to put it's signature on the spoof message I > would assert that it has a DKIM problem more than an ADSP problem. >
There could be different criteria for signing as a mailing list than for signing as an author. A mailing list manager could, for example, sign all messages that it forwards to the list in order to allow subscribers to reliably ascertain all messages on the mailing list. I'm not saying that they would necessarily do this, just that it's one way of looking at it. > Either the message has a valid signature or it does not. If there is a > valid signature then ietf.org is claiming responsibility. If it doesn't > have a valid signature....then not so much. If ietf.org is sending out > spoofed messages spoofing a "from" then it has a problem regardless of > whether it DKIM signs, uses ADSP or does anything else.. > This gets to the heart of the matter. If it's just a question of whether the message has a valid signature or not, then ADSP concepts like "author signature" don't apply. ADSP defines a more nuanced meaning of the signature that depends on some relationship between the signing address and the From address. > > By DKIM signing ietf.org is claiming responsibility for the mail - good > bad or indifferent. If it fixes the problem quickly and otherwise it has > a good reputation then it maintains it's reputation. If it consistently > signs problem mail then it may lose it's reputation. > Again, it's a question of whether there is just a claim of responsibility (defined in RFC 4871) or the additional meaning of claiming responsibility as author which we're trying to define here. > But they are all domain signatures. If you go back and look at the > discussion that took place before I suggested the name Author Domain > Signing Policy, I pointed out that authors don't sign, domains do > (unless an author also has control of DNS for a domain). > Domains do sign, but my view is that they might do so for different reasons in different situations. > d=users.example.com > d=lists.example.com > > You look at the lack of optimization. I look at where you are going and > wonder why someone with lots of subdomains is going to turn to ADSP in > the first place. > Some heavily phished domains do use quite a few subdomains, for example to separate transactional email from marketing materials. They would likely want to publish a different ADSP for the transactional and marketing subdomains. If d= gets used they might need to do their key management differently for any subdomain that uses ADSP. I don't see sufficient reason why the use of ADSP should impact key management/publication, rather than just to match against the i= address (the domain part, anyway...this is a separate issue from the local part issue discussed above). -Jim _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html