> -----Original Message----- > From: [email protected] [mailto:ietf-dkim- > [email protected]] On Behalf Of Hector Santos > Sent: Monday, August 16, 2010 1:36 PM > To: [email protected] > Subject: [ietf-dkim] Issue 4871bis - DKIM Definition Separation of > domains conflict > > In the current bif draft, it has: > > Abstract > > DomainKeys Identified Mail (DKIM) permits a person, role, or > organization that owns the signing domain to claim some > responsibility for a message by associating the domain with the > message. This can be an author's organization, an operational relay > or one of their agents. DKIM separates the question of the identity > of the signer of the message from the purported author of the > message. Assertion of responsibility is validated through a > cryptographic signature and querying the signer's domain directly to > retrieve the appropriate public key. Message transit from author to > recipient is through relays that typically make no substantive change > to the message content and thus preserve the DKIM signature. > > I have trouble with the 3rd separation sentence and the potential > ignorance it presents by breaking the original responsible party. > > What is the actual question does it separate? > > An association between the purported author and the signer? > Is an authorization question? > Does it absolve the responsibility of the original domain signer?
The sentence is meant to make explicit the fact that the author of a message and the signer of a message are not necessarily the same thing. So I guess then the first of your three examples is the right one. > I don't think the raw DKIM-base document should be making any > conclusion about that it intends to separate or absolve by moving the > responsibility to that of the signer. But the signer (d=) is the only provable entity on a signed message. This was what was said in the update draft as well (RFC5671). > By having it, it implies that those using the DKIM-BASE implementation > can effectively 100% ignore the original responsible domain own > signature without technical and even possibly legal repercussions. I think the problem is that terms like "original responsible domain" are undefined given that there are no assurances of the validity of any other part of the message. If you mean the From: field domain, that domain may or may not match "d=" even if there's a plurality of signatures. > I don't think a reference to POLICY needs to be made, but only focus > on the idea that the LAST SIGNER is the responsible party. I don't think that's necessarily a correct assertion. If a message has four valid signatures on it, then four parties have accepted some responsibility for the message. The From: domain doesn't need to match the "d=" on any of them. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
