On 10/3/2013 1:51 PM, Douglas Otis wrote:
Dear Hector,
Indeed, more should be said about underlying reasons. The reason for abandoning ADSP is for the same reason few providers reject messages not authorized by SPF records ending in "-all" (FAIL). Mailing-List software existed long before either of these strategies and domains using mailing lists need to be excluded from having DMARC policies (until a revised ATPS specification able to use normal signatures is published.) The reason for moving toward DMARC is, although aligned policy is only suitable for domains limited to messages of a transactional nature, places where one authorization scheme fails can be mostly recovered by the other which greatly increases the chances of a domain's policy being applied in the desired fashion.
Whether its ADSP, DMARC or anything else, any DKIM resigner has to be
aware of the consequences of blind signing. It can not operate in a
vacuum as if all of the following documents did not exist:
RFC4686 Analysis of Threats Motivating DKIM
RFC5016 Requirements for a DKIM Signing Practices Protocol
RFC5585 DKIM Service Overview
RFC5617 DKIM Author Domain Signing Practices (ADSP)
RFC5863 DKIM Development, Deployment, and Operations
RFC6377 DomainKeys Identified Mail (DKIM) and Mailing Lists
All of them describe a basic integrated concept of protecting the
domain signature which is still a problem to be resolved today
otherwise the payoff of the new DKIM "Internet Standard" is still
Zilch, Nada, Nil.
So if the movement is now towards DMARC, are mailing list software
going to support the policies exposed by DMARC restrictive domains?
We are not resolving the basic debate that was always with us.
Stripping Policy from DKIM framework as a separate SSP, then further
relaxing it and changing it to ADSP and now DMARC does not resolve the
basic fundamental problem with securing DKIM signatures if middleware
are not going to support the concept and continue with blind
resigning.
Make ADSP historic and DKIM itself is at risk of finally falling into
that wasted protocol project as well. Sure everyone is signing but
also stripping and replacing everyone's signature, its value has been
totally lost.
Go figure. I think the requester of this change ought to write a
report explaining how making ADSP historic and adopting DMARC
minimizes any impact and also helps keep DKIM as a viable mail
signature concept to have. How the payoff is finally realized with
DMARC rather an ADSP.
--
HLS