On Sat 07/Jun/2014 12:43:57 +0200 Dave Crocker wrote:
>
> I've been stewing on this idea for awhile and Murray pressed to get it
> into writing, adding his usual, significant enhancements to the original
> concept. We've gone a couple of rounds before releasing it, but it's
> still nascent enough to warrant gentle-but-firm handling. In other
> words, comments eagerly solicited.
Some comments:
First, weak signatures which are not part of a chain should be ignored
by verifiers. An authentication chain can be defined as a set of
valid DKIM signatures and possibly an SPF authentication of delegated
domains ("D" set), ordered such that:
* the first one is an author domain signature,
* each signature covers more header fields than the preceding one,
* the last authentication is a full (i.e. not weak) DKIM signature, or
an SPF "pass" authentication.
That way, by adding DKIM-Delegate: and/or Resent-To: as needed, it is
possible to have a mailing list send to another one.
The sentence starting this point is stronger than the wording in the
document. The latter talks about satisfying "this profile", which may
sound like allowing those verifiers who used to validate weak
signatures to continue their practices so long as other profiles are
concerned. Instead, since we encourage signers to produce weak
signatures, we ought to tell verifiers to ignore them unless they are
part of a chain.
Second, Section 3 and its subsections overstate the meaning of adding
a DKIM-Delegate: field. AIUI, it serves when the To:/Cc: fields
contain more domains than those which are meant to be delegated.
Bullet 2 of Section 3.2 could characterize that better. Bullets 3 and
7 should not assume the field is always there. I suggest to define
weak signatures and then characterize the method independently of the
presence of any DKIM-Delegate: field.
Third, weakly signing should be limited to messages destined to known
mediators of trusted domains. This point is just implied in the
document. A discussion about the correspondence between envelope
recipients and signed destination addresses may be appropriate too.
Fourth, a full author domain signature seems to be useless if the only
recipient is a ML.
As a fifth and last point, I'd mention quotation marks (RFC 2045 token
vs quoted-string) among the uses of z= in Section 5.1.
Using z= is easier and probably more effective than trying to specify
a list of admissible, innocuous message alterations, but looks ugly.
Anyway, it may help having MLMs publish a how-to-sign DNS record. The
record says what subject-tag the MLM adds, for which fields it wants
z=, in which cases it applies which encoding transformation, and the
like. By itself, the existence of such record will confirm that a
given recipient expects weak signatures. Just mumbling.
Ale
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
