Stephen Farrell wrote: [proposed requirement] >> "The protocol MUST state what 'DKIM signing complete' precisely >> means wrt common practises like resending, news, and other uses >> of a 2822-From address". > Two questions: > Can you provide us with an example of the kind of statement > you'd envisage being made in an SSP protocol draft?
"At the moment 'DKIM-signing-complete means that addresses of the given domain cannot be used in the From header field of Netnews articles. All newsgroups can be exported from news by news2mail gateways to mail. For moderated newsgroups articles can be forwarded almost as is by mail from the server where the article was submitted to the moderator, or forwarded by mail from one to another moderator in the case of cross-posts in multiple moderated newsgroups." Maybe too verbose. The complete list of issues with PRA, plus some additional issues for the 2822-From-centric POV of SSP, if it uses the latter (at the moment 6.3 says it does). > I don't understand why we, now, need to care about other uses of > the 2822-From address? Because the terminology is messy. The 2821-From is something like an envelope-sender, the 2822-From is something like an author, the news-From (T -6 days to first opportunity of approval) is a poster. As soon as I say 2822-Resent-From or Resent-Sender: me any decrees of the original author in an SSP about 2822-From are at best wishful thinking. In one of his anti-replay strategies Doug proposed to strip the signature at the MDA, and then the resender can't resend this signature even if she's willing to try this. All I know about MMS-to-mail gateways is that there's an RFC about it. Somebody knowing what it's about has to check if and what it means wrt 'DKIM-signing-complete'. Maybe nothing, then it's fine. Or maybe it means "'DKIM-signing-complete' domains cannot be used in MMS", and if that's the case then SSP has to say so explicitly. Is somebody here a 'lemonade' expert ? A 2822-From can be used in many applications, transformed into mail at some point. I have no clue where that might be a problem wrt a 'DKIM-signing-complete' SSP, the news2mail case is only the most obvious. Another obvious case which should be explicitly mentioned in the 'DKIM-signing-complete' explanation is SenderID spf2.0/pra: Even if we don't care about PRA, a PRA == 2822-From is a normal case. A domain claiming to be 'DKIM-signing-complete' has to be sure that there's some DKIM-signing agent on _all_ routes before one of their spf2.0/pra PASS or NEUTRAL IPs. Otherwise they screwed up, causing harm for mails "from" their domain. Frank _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
