| draft-ietf-dkim-ssp-09.txt | draft-ietf-dkim-ssp-10.txt | |||
|---|---|---|---|---|
| Network Working Group E. Allman | Network Working Group E. Allman | |||
| Internet-Draft Sendmail, Inc. | Internet-Draft Sendmail, Inc. | |||
| Intended status: Standards Track J. Fenton | Intended status: Standards Track J. Fenton | |||
| Expires: August 9, 2009 Cisco Systems, Inc. | Expires: November 12, 2009 Cisco Systems, Inc. | |||
| M. Delany | M. Delany | |||
| Yahoo! Inc. | Yahoo! Inc. | |||
| J. Levine | J. Levine | |||
| Taughannock Networks | Taughannock Networks | |||
| February 5, 2009 | May 11, 2009 | |||
| DomainKeys Identified Mail (DKIM) Author Domain Signing Practices (ADSP) | DomainKeys Identified Mail (DKIM) Author Domain Signing Practices (ADSP) | |||
| draft-ietf-dkim-ssp-09 | draft-ietf-dkim-ssp-10 | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted to IETF in full conformance with the | This Internet-Draft is submitted to IETF in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as Internet- | other groups may also distribute working documents as Internet- | |||
| Drafts. | Drafts. | |||
| skipping to change at page 1, line 37 | skipping to change at page 1, line 37 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on August 9, 2009. | This Internet-Draft will expire on November 12, 2009. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2009 IETF Trust and the persons identified as the | Copyright (c) 2009 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents in effect on the date of | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | publication of this document (http://trustee.ietf.org/license-info). | |||
| publication of this document. Please review these documents | Please review these documents carefully, as they describe your rights | |||
| carefully, as they describe your rights and restrictions with respect | and restrictions with respect to this document. | |||
| to this document. | ||||
| Abstract | Abstract | |||
| DomainKeys Identified Mail (DKIM) defines a domain-level | DomainKeys Identified Mail (DKIM) defines a domain-level | |||
| authentication framework for email to permit verification of the | authentication framework for email to permit verification of the | |||
| source and contents of messages. This document specifies an adjunct | source and contents of messages. This document specifies an adjunct | |||
| mechanism to aid in assessing messages that do not contain a DKIM | mechanism to aid in assessing messages that do not contain a DKIM | |||
| signature for the domain used in the author's address. It defines a | signature for the domain used in the author's address. It defines a | |||
| record that can advertise whether a domain signs its outgoing mail, | record that can advertise whether a domain signs its outgoing mail, | |||
| and how other hosts can access that record. | and how other hosts can access that record. | |||
| skipping to change at page 2, line 25 | skipping to change at page 2, line 25 | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Language and Terminology . . . . . . . . . . . . . . . . . . . 4 | 2. Language and Terminology . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.1. Terms Imported from DKIM Signatures Specification . . . . 4 | 2.1. Terms Imported from DKIM Signatures Specification . . . . 4 | |||
| 2.2. Valid Signature . . . . . . . . . . . . . . . . . . . . . 5 | 2.2. Valid Signature . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.3. Author Address . . . . . . . . . . . . . . . . . . . . . . 5 | 2.3. Author Address . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.4. Author Domain . . . . . . . . . . . . . . . . . . . . . . 5 | 2.4. Author Domain . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.5. Alleged Author . . . . . . . . . . . . . . . . . . . . . . 5 | 2.5. Alleged Author . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.6. Author Domain Signing Practices . . . . . . . . . . . . . 5 | 2.6. Author Domain Signing Practices . . . . . . . . . . . . . 5 | |||
| 2.7. Author Signature . . . . . . . . . . . . . . . . . . . . . 5 | 2.7. Author Domain Signature . . . . . . . . . . . . . . . . . 5 | |||
| 3. Operation Overview . . . . . . . . . . . . . . . . . . . . . . 6 | 3. Operation Overview . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.1. ADSP Applicability . . . . . . . . . . . . . . . . . . . . 6 | 3.1. ADSP Applicability . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.2. ADSP Usage . . . . . . . . . . . . . . . . . . . . . . . . 7 | 3.2. ADSP Usage . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.3. ADSP Results . . . . . . . . . . . . . . . . . . . . . . . 7 | 3.3. ADSP Results . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4. Detailed Description . . . . . . . . . . . . . . . . . . . . . 7 | 4. Detailed Description . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.1. DNS Representation . . . . . . . . . . . . . . . . . . . . 7 | 4.1. DNS Representation . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.2. Publication of ADSP Records . . . . . . . . . . . . . . . 8 | 4.2. Publication of ADSP Records . . . . . . . . . . . . . . . 8 | |||
| 4.3. ADSP Lookup Procedure . . . . . . . . . . . . . . . . . . 9 | 4.3. ADSP Lookup Procedure . . . . . . . . . . . . . . . . . . 9 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.1. ADSP Specification Tag Registry . . . . . . . . . . . . . 10 | 5.1. ADSP Specification Tag Registry . . . . . . . . . . . . . 10 | |||
| 5.2. ADSP Outbound Signing Practices Registry . . . . . . . . . 11 | 5.2. ADSP Outbound Signing Practices Registry . . . . . . . . . 10 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | 5.3. Authentication-Results Method Registry Update . . . . . . 11 | |||
| 6.1. ADSP Threat Model . . . . . . . . . . . . . . . . . . . . 11 | 5.4. Authentication-Results Result Registry Update . . . . . . 11 | |||
| 6.2. DNS Considerations . . . . . . . . . . . . . . . . . . . . 12 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | |||
| 6.3. DNS Wildcards . . . . . . . . . . . . . . . . . . . . . . 12 | 6.1. ADSP Threat Model . . . . . . . . . . . . . . . . . . . . 13 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 | 6.2. DNS Considerations . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7.1. References - Normative . . . . . . . . . . . . . . . . . . 13 | 6.3. DNS Wildcards . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 7.2. References - Informative . . . . . . . . . . . . . . . . . 13 | 6.4. Inappropriate Application of Author Domain Signatures . . 15 | |||
| Appendix A. Lookup Examples . . . . . . . . . . . . . . . . . . . 14 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| A.1. Domain and ADSP exist . . . . . . . . . . . . . . . . . . 14 | 7.1. References - Normative . . . . . . . . . . . . . . . . . . 15 | |||
| A.2. Domain exists, ADSP does not exist . . . . . . . . . . . . 14 | 7.2. References - Informative . . . . . . . . . . . . . . . . . 16 | |||
| A.3. Domain does not exist . . . . . . . . . . . . . . . . . . 15 | Appendix A. Lookup Examples . . . . . . . . . . . . . . . . . . . 16 | |||
| Appendix B. Usage Examples . . . . . . . . . . . . . . . . . . . 15 | A.1. Domain and ADSP exist . . . . . . . . . . . . . . . . . . 17 | |||
| B.1. Single Location Domains . . . . . . . . . . . . . . . . . 15 | A.2. Domain exists, ADSP does not exist . . . . . . . . . . . . 17 | |||
| B.2. Bulk Mailing Domains . . . . . . . . . . . . . . . . . . . 15 | A.3. Domain does not exist . . . . . . . . . . . . . . . . . . 17 | |||
| B.3. Bulk Mailing Domains with Discardable Mail . . . . . . . . 16 | Appendix B. Usage Examples . . . . . . . . . . . . . . . . . . . 17 | |||
| B.4. Third Party Senders . . . . . . . . . . . . . . . . . . . 16 | B.1. Single Location Domains . . . . . . . . . . . . . . . . . 18 | |||
| B.5. Domains with Independent Users and Liberal Use Policies . 17 | B.2. Bulk Mailing Domains . . . . . . . . . . . . . . . . . . . 18 | |||
| B.6. Non-email Domains . . . . . . . . . . . . . . . . . . . . 17 | B.3. Bulk Mailing Domains with Discardable Mail . . . . . . . . 19 | |||
| Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 17 | B.4. Third Party Senders . . . . . . . . . . . . . . . . . . . 19 | |||
| Appendix D. Change Log . . . . . . . . . . . . . . . . . . . . . 17 | B.5. Domains with Independent Users and Liberal Use Policies . 19 | |||
| D.1. Changes since -ietf-dkim-08 . . . . . . . . . . . . . . . 17 | B.6. Non-email Domains . . . . . . . . . . . . . . . . . . . . 19 | |||
| D.2. Changes since -ietf-dkim-07 . . . . . . . . . . . . . . . 17 | Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 19 | |||
| D.3. Changes since -ietf-dkim-06 . . . . . . . . . . . . . . . 18 | Appendix D. Change Log . . . . . . . . . . . . . . . . . . . . . 20 | |||
| D.4. Changes since -ietf-dkim-05 . . . . . . . . . . . . . . . 18 | D.1. Changes since -ietf-dkim-09 . . . . . . . . . . . . . . . 20 | |||
| D.5. Changes since -ietf-dkim-04 . . . . . . . . . . . . . . . 18 | D.2. Changes since -ietf-dkim-08 . . . . . . . . . . . . . . . 20 | |||
| D.6. Changes since -ietf-dkim-03 . . . . . . . . . . . . . . . 18 | D.3. Changes since -ietf-dkim-07 . . . . . . . . . . . . . . . 20 | |||
| D.7. Changes since -ietf-dkim-02 . . . . . . . . . . . . . . . 19 | D.4. Changes since -ietf-dkim-06 . . . . . . . . . . . . . . . 20 | |||
| D.8. Changes since -ietf-dkim-ssp-01 . . . . . . . . . . . . . 20 | D.5. Changes since -ietf-dkim-05 . . . . . . . . . . . . . . . 21 | |||
| D.9. Changes since -ietf-dkim-ssp-00 . . . . . . . . . . . . . 21 | D.6. Changes since -ietf-dkim-04 . . . . . . . . . . . . . . . 21 | |||
| D.10. Changes since -allman-ssp-02 . . . . . . . . . . . . . . . 21 | D.7. Changes since -ietf-dkim-03 . . . . . . . . . . . . . . . 21 | |||
| D.11. Changes since -allman-ssp-01 . . . . . . . . . . . . . . . 22 | D.8. Changes since -ietf-dkim-02 . . . . . . . . . . . . . . . 22 | |||
| D.12. Changes since -allman-ssp-00 . . . . . . . . . . . . . . . 22 | D.9. Changes since -ietf-dkim-ssp-01 . . . . . . . . . . . . . 22 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 22 | D.10. Changes since -ietf-dkim-ssp-00 . . . . . . . . . . . . . 23 | |||
| D.11. Changes since -allman-ssp-02 . . . . . . . . . . . . . . . 24 | ||||
| D.12. Changes since -allman-ssp-01 . . . . . . . . . . . . . . . 24 | ||||
| D.13. Changes since -allman-ssp-00 . . . . . . . . . . . . . . . 25 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25 | ||||
| 1. Introduction | 1. Introduction | |||
| DomainKeys Identified Mail (DKIM) defines a mechanism by which email | DomainKeys Identified Mail (DKIM) defines a mechanism by which email | |||
| messages can be cryptographically signed, permitting a signing domain | messages can be cryptographically signed, permitting a signing domain | |||
| to claim responsibility for the introduction of a message into the | to claim responsibility for the introduction of a message into the | |||
| mail stream. Message recipients can verify the signature by querying | mail stream. Message recipients can verify the signature by querying | |||
| the signer's domain directly to retrieve the appropriate public key, | the signer's domain directly to retrieve the appropriate public key, | |||
| and thereby confirm that the message was attested to by a party in | and thereby confirm that the message was attested to by a party in | |||
| possession of the private key for the signing domain. | possession of the private key for the signing domain. | |||
| However, the legacy of the Internet is such that not all messages | However, the legacy of the Internet is such that not all messages | |||
| will be signed, and the absence of a signature on a message is not an | will be signed, and the absence of a signature on a message is not an | |||
| a priori indication of forgery. In fact, during early phases of | a priori indication of forgery. In fact, during early phases of | |||
| deployment it is very likely that most messages will remain unsigned. | deployment it is very likely that most messages will remain unsigned. | |||
| However, some domains might decide to sign all of their outgoing | However, some domains might decide to sign all of their outgoing | |||
| mail, for example, to protect their brand names. It might be | mail, for example, to protect their brand names. It might be | |||
| desirable for such domains to be able to advertise that fact to other | desirable for such domains to be able to advertise that fact to other | |||
| hosts. This is the topic of Author Domain Signing Practices (ADSP). | hosts. This is the topic of Author Domain Signing Practices (ADSP). | |||
| Hosts implementing this specification can inquire what Author Signing | Hosts implementing this specification can inquire what Author Domain | |||
| Practices a domain advertises. This inquiry is called an Author | Signing Practices a domain advertises. This inquiry is called an | |||
| Signing Practices check. | Author Domain Signing Practices check. | |||
| The basic requirements for ADSP are given in [RFC5016]. This | The basic requirements for ADSP are given in [RFC5016]. This | |||
| document refers extensively to [RFC4871] and assumes the reader is | document refers extensively to [RFC4871] and assumes the reader is | |||
| familiar with it. | familiar with it. | |||
| Requirements Notation: The key words "MUST", "MUST NOT", | Requirements Notation: The key words "MUST", "MUST NOT", | |||
| "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", | "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", | |||
| "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be | "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be | |||
| interpreted as described in [RFC2119] | interpreted as described in [RFC2119] | |||
| skipping to change at page 5, line 33 | skipping to change at page 5, line 33 | |||
| An "Alleged Author" is an Author Address of a message; it is | An "Alleged Author" is an Author Address of a message; it is | |||
| "alleged" because it has not yet been checked. | "alleged" because it has not yet been checked. | |||
| 2.6. Author Domain Signing Practices | 2.6. Author Domain Signing Practices | |||
| "Author Domain Signing Practices" (or just "practices") consist of a | "Author Domain Signing Practices" (or just "practices") consist of a | |||
| machine-readable record published by the domain of an Alleged Author | machine-readable record published by the domain of an Alleged Author | |||
| which includes statements about the domain's practices with respect | which includes statements about the domain's practices with respect | |||
| to mail it sends with its domain in the From: line. | to mail it sends with its domain in the From: line. | |||
| 2.7. Author Signature | 2.7. Author Domain Signature | |||
| An "author signature" is a Valid Signature that has the same domain | ||||
| name in the DKIM signing identity as the domain name in the Author | ||||
| Address. If the DKIM signing identity has a Local-part, it is be | ||||
| identical to the Local-part in the Author Address. Following | ||||
| [RFC5321], Local-part comparisons are case sensitive, but domain | ||||
| comparisons are case insensitive. | ||||
| For example, if a message has a Valid Signature, with the DKIM- | An "Author Domain Signature" is a Valid Signature in which the domain | |||
| Signature field containing "i=a@domain.example", then domain.example | name of the DKIM signing entity, the d= tag in the DKIM-Signature | |||
| is asserting that it takes responsibility for the message. If the | header field, is the same as the domain name in the Author Address. | |||
| message's From: field contains the address "b@domain.example", that | Following [RFC5321], domain name comparisons are case insensitive. | |||
| would mean that the message does not have a valid Author Signature. | ||||
| Even though the message is signed by the same domain, it will not | ||||
| satisfy ADSP that specifies "dkim=all" or "dkim=discardable". | ||||
| Note: ADSP is incompatible with valid DKIM usage in which a signer | For example, if the From: line address is bob@domain.example, and the | |||
| uses "i=" with values that are not the same as addresses in mail | message has a Valid Signature, with the DKIM-Signature header field | |||
| headers. In that case, a possible workaround could be to add a | containing "d=domain.example", then the message has an Author Domain | |||
| second DKIM signature a "d=" value that matches the Author | Signature. | |||
| Address, but no "i=". | ||||
| 3. Operation Overview | 3. Operation Overview | |||
| Domain owners publish ADSP information via a query mechanism such as | Domain owners publish ADSP information via a query mechanism such as | |||
| the Domain Name System; specific details are given in Section 4.1. | the Domain Name System; specific details are given in Section 4.1. | |||
| Hosts can look up the ADSP information of the domain(s) specified by | Hosts can look up the ADSP information of the domain(s) specified by | |||
| the Author Address(es) as described in Section 4.3. If a message has | the Author Address(es) as described in Section 4.3. If a message has | |||
| multiple Author Addresses the ADSP lookups SHOULD be performed | multiple Author Addresses the ADSP lookups SHOULD be performed | |||
| independently on each address. This document does not address the | independently on each address. This document does not address the | |||
| skipping to change at page 7, line 16 | skipping to change at page 6, line 50 | |||
| 3.2. ADSP Usage | 3.2. ADSP Usage | |||
| Depending on the Author Domain(s) and the signatures in a message, a | Depending on the Author Domain(s) and the signatures in a message, a | |||
| recipient gets varying amounts of useful information from each ADSP | recipient gets varying amounts of useful information from each ADSP | |||
| lookup. | lookup. | |||
| o If a message has no Valid Signature, the ADSP result is directly | o If a message has no Valid Signature, the ADSP result is directly | |||
| relevant to the message. | relevant to the message. | |||
| o If a message has an Author Signature, ADSP provides no benefit | o If a message has an Author Domain Signature, ADSP provides no | |||
| relative to that domain since the message is already known to be | benefit relative to that domain since the message is already known | |||
| compliant with any possible ADSP for that domain. | to be compliant with any possible ADSP for that domain. | |||
| o If a message has a Valid Signature other than an Author Signature, | o If a message has a Valid Signature other than an Author Domain | |||
| the receiver can use both the Signature and the ADSP result in its | Signature, the receiver can use both the Signature and the ADSP | |||
| evaluation of the message. | result in its evaluation of the message. | |||
| 3.3. ADSP Results | 3.3. ADSP Results | |||
| An ADSP lookup for an Author Address produces one of four possible | An ADSP lookup for an Author Address produces one of four possible | |||
| results: | results: | |||
| o Messages from this domain might or might not have an author | o Messages from this domain might or might not have an author domain | |||
| signature. This is the default if the domain exists in the DNS | signature. This is the default if the domain exists in the DNS | |||
| but no ADSP record is found. | but no ADSP record is found. | |||
| o All messages from this domain are signed with an Author Signature. | o All messages from this domain are signed with an Author Domain | |||
| Signature. | ||||
| o All messages from this domain are signed with an Author Signature | o All messages from this domain are signed with an Author Domain | |||
| and discardable, i.e., if a message arrives without a valid Author | Signature and discardable, i.e., if a message arrives without a | |||
| Signature, the domain encourages the recipient(s) to discard it. | valid Author Domain Signature, the domain encourages the | |||
| recipient(s) to discard it. | ||||
| o This domain is out of scope, i.e., the domain does not exist in | o This domain is out of scope, i.e., the domain does not exist in | |||
| the DNS. | the DNS. | |||
| An ADSP lookup could terminate without producing any result if a DNS | An ADSP lookup could terminate without producing any result if a DNS | |||
| lookup results in a temporary failure. | lookup results in a temporary failure. | |||
| 4. Detailed Description | 4. Detailed Description | |||
| 4.1. DNS Representation | 4.1. DNS Representation | |||
| skipping to change at page 8, line 18 | skipping to change at page 8, line 6 | |||
| [RFC4871] is used, modified to use WSP rather than FWS. Records not | [RFC4871] is used, modified to use WSP rather than FWS. Records not | |||
| in compliance with that syntax or the syntax of individual tags | in compliance with that syntax or the syntax of individual tags | |||
| described in Section 4.3 MUST be ignored (considered equivalent to a | described in Section 4.3 MUST be ignored (considered equivalent to a | |||
| NODATA result) for purposes of ADSP, although they MAY cause the | NODATA result) for purposes of ADSP, although they MAY cause the | |||
| logging of warning messages via an appropriate system logging | logging of warning messages via an appropriate system logging | |||
| mechanism. If the RDATA contains multiple character strings, the | mechanism. If the RDATA contains multiple character strings, the | |||
| strings are logically concatenated with no delimiters between the | strings are logically concatenated with no delimiters between the | |||
| strings. | strings. | |||
| Note: ADSP changes the "Tag=Value List" syntax from [RFC4871] to | Note: ADSP changes the "Tag=Value List" syntax from [RFC4871] to | |||
| use WSP rather than FWS in its DNS records. Domains MUST NOT | use WSP rather than FWS in its DNS records. | |||
| publish ADSP records with wildcard names. Wildcards within a | ||||
| domain publishing ADSP records pose a particular problem, as | Note: Domains MUST NOT publish ADSP records with wildcard names. | |||
| discussed in more detail in Section 6.3. | Wildcards within a domain publishing ADSP records pose a | |||
| particular problem, as discussed in more detail in Section 6.3. | ||||
| 4.2. Publication of ADSP Records | 4.2. Publication of ADSP Records | |||
| ADSP is intended to apply to all mail sent using the domain name | ADSP is intended to apply to all mail sent using the domain name | |||
| string of an Alleged Author. | string of an Alleged Author. | |||
| 4.2.1. Record Syntax | 4.2.1. Record Syntax | |||
| ADSP records use the "tag=value" syntax described in section 3.2 of | ADSP records use the "tag=value" syntax described in section 3.2 of | |||
| [RFC4871], modified to use WSP rather than FWS. Every ADSP record | [RFC4871], modified to use WSP rather than FWS. Every ADSP record | |||
| skipping to change at page 8, line 45 | skipping to change at page 8, line 34 | |||
| Tags used in ADSP records are described below. Unrecognized tags | Tags used in ADSP records are described below. Unrecognized tags | |||
| MUST be ignored. In the ABNF below, the WSP token, and the ALPHA and | MUST be ignored. In the ABNF below, the WSP token, and the ALPHA and | |||
| DIGIT tokens are imported from [RFC5234]. | DIGIT tokens are imported from [RFC5234]. | |||
| dkim= Outbound signing practices for the domain (plain-text; | dkim= Outbound signing practices for the domain (plain-text; | |||
| REQUIRED). Possible values are as follows: | REQUIRED). Possible values are as follows: | |||
| unknown The domain might sign some or all email. | unknown The domain might sign some or all email. | |||
| all All mail from the domain is signed with an Author | all All mail from the domain is signed with an Author Domain | |||
| Signature. | Signature. | |||
| discardable All mail from the domain is signed with an Author | discardable All mail from the domain is signed with an Author | |||
| Signature. Furthermore, if a message arrives without a valid | Domain Signature. Furthermore, if a message arrives without a | |||
| Author Signature due to modification in transit, submission via | valid Author Domain Signature due to modification in transit, | |||
| a path without access to a signing key, or any other reason, | submission via a path without access to a signing key, or any | |||
| the domain encourages the recipient(s) to discard it. | other reason, the domain encourages the recipient(s) to discard | |||
| it. | ||||
| Any other values are treated as "unknown". | Any other values are treated as "unknown". | |||
| ABNF: | ABNF: | |||
| adsp-dkim-tag = %x64.6b.69.6d *WSP "=" *WSP | adsp-dkim-tag = %x64.6b.69.6d *WSP "=" *WSP | |||
| ("unknown" / "all" / "discardable") | ("unknown" / "all" / "discardable") | |||
| 4.3. ADSP Lookup Procedure | 4.3. ADSP Lookup Procedure | |||
| Hosts doing an ADSP lookup MUST produce a result that is semantically | Hosts doing an ADSP lookup MUST produce a result that is semantically | |||
| skipping to change at page 11, line 28 | skipping to change at page 11, line 15 | |||
| The initial entries in the registry comprise: | The initial entries in the registry comprise: | |||
| +-------------+-----------------+ | +-------------+-----------------+ | |||
| | TYPE | REFERENCE | | | TYPE | REFERENCE | | |||
| +-------------+-----------------+ | +-------------+-----------------+ | |||
| | unknown | (this document) | | | unknown | (this document) | | |||
| | all | (this document) | | | all | (this document) | | |||
| | discardable | (this document) | | | discardable | (this document) | | |||
| +-------------+-----------------+ | +-------------+-----------------+ | |||
| ADSP Outbound Signing Practices Registry Initial Values | ADSP Outbound Signing Practices Registry Initial Values | |||
| 5.3. Authentication-Results Method Registry Update | ||||
| IANA is requested to add the following to the Email Authentication | ||||
| Method Name Registry: | ||||
| Method: dkim-adsp | ||||
| Defined In: this memo | ||||
| ptype: header | ||||
| property: from | ||||
| value: Contents of the [RFC5322] From: header field, with comments | ||||
| removed | ||||
| 5.4. Authentication-Results Result Registry Update | ||||
| IANA is requested to add or update the following in the Email | ||||
| Authentication Result Name Registry: | ||||
| Code: none | ||||
| Existing/New Code: existing | ||||
| Defined In: [RFC5451] | ||||
| Auth Method: dkim-adsp (added) | ||||
| Meaning: No DKIM author domain signing practises (ADSP) record was | ||||
| published. | ||||
| Code: pass | ||||
| Existing/New Code: existing | ||||
| Defined In: [RFC5451] | ||||
| Auth Method: dkim-adsp (added) | ||||
| Meaning: This message had an Author Domain Domain Signature that was | ||||
| validated. (An ADSP check is not strictly required to be | ||||
| performed for this result, since a valid Author Domain Signature | ||||
| satisfies all possible ADSP policies.) | ||||
| Code: unknown | ||||
| Existing/New Code: new | ||||
| Defined In: this memo | ||||
| Auth Method: dkim-adsp | ||||
| Meaning: No valid Author Domain Signature was found on the message | ||||
| and the published ADSP was "unknown". | ||||
| Code: fail | ||||
| Existing/New Code: existing | ||||
| Defined In: [RFC5451] | ||||
| Auth Method: dkim-adsp (added) | ||||
| Meaning: No valid Author Domain Signature was found on the message | ||||
| and the published ADSP was "all". | ||||
| Code: discard | ||||
| Existing/New Code: new | ||||
| Defined In: this memo | ||||
| Auth Method: dkim-adsp | ||||
| Meaning: No valid Author Domain Signature was found on the message | ||||
| and the published ADSP was "discardable". | ||||
| Code: nxdomain | ||||
| Existing/New Code: new | ||||
| Defined In: this memo | ||||
| Auth Method: dkim-adsp | ||||
| Meaning: Evaluating the ADSP for the Author's DNS domain indicated | ||||
| that the Author's DNS domain does not exist. | ||||
| Code: temperror | ||||
| Existing/New Code: existing | ||||
| Defined In: [RFC5451] | ||||
| Auth Method: dkim-adsp (added) | ||||
| Meaning: An ADSP record could not be retrieved due to some error | ||||
| that is likely transient in nature, such as a temporary DNS error. | ||||
| A later attempt may produce a final result. | ||||
| Code: permerror | ||||
| Existing/New Code: existing | ||||
| Defined In: [RFC5451] | ||||
| Auth Method: dkim-adsp (added) | ||||
| Meaning: An ADSP record could not be retrieved due to some error | ||||
| that is likely not transient in nature, such as a permanent DNS | ||||
| error. A later attempt is unlikely to produce a final result. | ||||
| 6. Security Considerations | 6. Security Considerations | |||
| Security considerations in the ADSP are mostly related to attempts on | Security considerations in the ADSP are mostly related to attempts on | |||
| the part of malicious senders to represent themselves as authors for | the part of malicious senders to represent themselves as authors for | |||
| whom they are not authorized to send mail, often in an attempt to | whom they are not authorized to send mail, often in an attempt to | |||
| defraud either the recipient or an Alleged Author. | defraud either the recipient or an Alleged Author. | |||
| Additional security considerations regarding Author Domain Signing | Additional security considerations regarding Author Domain Signing | |||
| Practices are found in the DKIM threat analysis [RFC4686]. | Practices are found in the DKIM threat analysis [RFC4686]. | |||
| skipping to change at page 12, line 52 | skipping to change at page 15, line 14 | |||
| 6.3. DNS Wildcards | 6.3. DNS Wildcards | |||
| DNS wildcards (described in [RFC4592]) that exist in the DNS | DNS wildcards (described in [RFC4592]) that exist in the DNS | |||
| hierarchy at or above the domain being checked interfere with the | hierarchy at or above the domain being checked interfere with the | |||
| ability to verify the scope of the ADSP check described in | ability to verify the scope of the ADSP check described in | |||
| Section 4.3. For example, a wildcard record for *.domain.example | Section 4.3. For example, a wildcard record for *.domain.example | |||
| makes all subdomains such as foo.domain.example exist in the DNS. | makes all subdomains such as foo.domain.example exist in the DNS. | |||
| Domains that intend to make active use of ADSP by publishing a | Domains that intend to make active use of ADSP by publishing a | |||
| practice other than Unknown are advised to avoid the use of wildcards | practice other than Unknown are advised to avoid the use of wildcards | |||
| elsewhere in their hierarchy. | in their hierarchy. | |||
| If a domain contains wildcards, then any name that matches the | If a domain contains wildcards, then any name that matches the | |||
| wildcard can appear to be a valid mail domain eligible for ADSP. But | wildcard can appear to be a valid mail domain eligible for ADSP. But | |||
| the "_adsp._domainkey." prefix on ADSP records does not allow | the "_adsp._domainkey." prefix on ADSP records does not allow | |||
| publication of wildcard records that cover ADSP records without also | publication of wildcard records that cover ADSP records without also | |||
| covering non-ADSP records, nor of wildcard records that cover non- | covering non-ADSP records, nor publication of wildcard records that | |||
| ADSP records without also covering ADSP records. Hence a domain MUST | cover non-ADSP records without also covering ADSP records. A domain | |||
| NOT publish wildcard ADSP records. | that uses ADSP practices other than unknown SHOULD NOT publish | |||
| wildcard records. | ||||
| 6.4. Inappropriate Application of Author Domain Signatures | ||||
| In one model of DKIM usage, a domain signs messages that are in | ||||
| transit through their system. Since any signature whose domain | ||||
| matches the Author Domain is by definition an Author Domain | ||||
| Signature, it would be unwise to sign mail whose Author Domain is the | ||||
| signer's domain if the mail is not known to meet the domain's | ||||
| standards for an Author Domain Signature. | ||||
| One such use case is where a domain might apply such a signature is | ||||
| following application of an Authentication-Results header field as | ||||
| described in Section 7.1 of [RFC5451]. This problem can be easily | ||||
| avoided either by not applying a signature that might be confused | ||||
| with an Author Domain Signature or by applying a signature from some | ||||
| other domain, such as a subdomain of the Author Domain. | ||||
| 7. References | 7. References | |||
| 7.1. References - Normative | 7.1. References - Normative | |||
| [RFC1035] Mockapetris, P., "Domain names - implementation and | [RFC1035] Mockapetris, P., "Domain names - implementation and | |||
| specification", STD 13, RFC 1035, November 1987. | specification", STD 13, RFC 1035, November 1987. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| skipping to change at page 13, line 44 | skipping to change at page 16, line 25 | |||
| [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | |||
| IANA Considerations Section in RFCs", BCP 26, RFC 5226, | IANA Considerations Section in RFCs", BCP 26, RFC 5226, | |||
| May 2008. | May 2008. | |||
| [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax | [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax | |||
| Specifications: ABNF", STD 68, RFC 5234, January 2008. | Specifications: ABNF", STD 68, RFC 5234, January 2008. | |||
| [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, | [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, | |||
| October 2008. | October 2008. | |||
| [RFC5451] Kucherawy, M., "Message Header Field for Indicating | ||||
| Message Authentication Status", RFC 5451, April 2009. | ||||
| 7.2. References - Informative | 7.2. References - Informative | |||
| [RFC4686] Fenton, J., "Analysis of Threats Motivating DomainKeys | [RFC4686] Fenton, J., "Analysis of Threats Motivating DomainKeys | |||
| Identified Mail (DKIM)", RFC 4686, September 2006. | Identified Mail (DKIM)", RFC 4686, September 2006. | |||
| [RFC5016] Thomas, M., "Requirements for a DomainKeys Identified Mail | [RFC5016] Thomas, M., "Requirements for a DomainKeys Identified Mail | |||
| (DKIM) Signing Practices Protocol", RFC 5016, | (DKIM) Signing Practices Protocol", RFC 5016, | |||
| October 2007. | October 2007. | |||
| [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, | [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, | |||
| skipping to change at page 14, line 47 | skipping to change at page 17, line 32 | |||
| A mail message contains this From: header line: | A mail message contains this From: header line: | |||
| From: alice@bbb.example (Old-fashioned Alice) | From: alice@bbb.example (Old-fashioned Alice) | |||
| The ADSP Lookup first identifies the Author Address alice@bbb.example | The ADSP Lookup first identifies the Author Address alice@bbb.example | |||
| and the Author Domain bbb.example. It does an MX DNS query for | and the Author Domain bbb.example. It does an MX DNS query for | |||
| bbb.example, and gets back record (3). Since that query didn't | bbb.example, and gets back record (3). Since that query didn't | |||
| return an error, it then proceeds to a TXT DNS query for | return an error, it then proceeds to a TXT DNS query for | |||
| _adsp._domainkey.bbb.example, which returns NXDOMAIN. Since the | _adsp._domainkey.bbb.example, which returns NXDOMAIN. Since the | |||
| domain exists but there is no ADSP record, ADSP returns the default | domain exists but there is no ADSP record, ADSP returns the default | |||
| unknown result: messages may or may not have an author signature. | unknown result: messages may or may not have an author domain | |||
| signature. | ||||
| A.3. Domain does not exist | A.3. Domain does not exist | |||
| A mail message contains this From: header line: | A mail message contains this From: header line: | |||
| From: frank@ccc.example (Unreliable Frank) | From: frank@ccc.example (Unreliable Frank) | |||
| The ADSP Lookup first identifies the Author Address frank@ccc.example | The ADSP Lookup first identifies the Author Address frank@ccc.example | |||
| and the Author Domain ccc.example. It does an MX DNS query for | and the Author Domain ccc.example. It does an MX DNS query for | |||
| ccc.example, and gets back an NXDOMAIN result since there are no | ccc.example, and gets back an NXDOMAIN result since there are no | |||
| skipping to change at page 15, line 29 | skipping to change at page 18, line 11 | |||
| These examples are intended to illustrate typical uses of ADSP. They | These examples are intended to illustrate typical uses of ADSP. They | |||
| are not intended to be exhaustive, nor to apply to every domain's or | are not intended to be exhaustive, nor to apply to every domain's or | |||
| mail system's individual situation. | mail system's individual situation. | |||
| Domain managers are advised to consider the ways that mail processing | Domain managers are advised to consider the ways that mail processing | |||
| can modify messages in ways that will invalidate an existing DKIM | can modify messages in ways that will invalidate an existing DKIM | |||
| signature, such as mailing lists, courtesy forwarders, and other | signature, such as mailing lists, courtesy forwarders, and other | |||
| paths that could add or modify headers, or modify the message body. | paths that could add or modify headers, or modify the message body. | |||
| In that case, if the modifications invalidate the DKIM signature, | In that case, if the modifications invalidate the DKIM signature, | |||
| recipient hosts will consider the mail not to have an Author | recipient hosts will consider the mail not to have an Author Domain | |||
| Signature, even though the signature was present when the mail was | Signature, even though the signature was present when the mail was | |||
| originally sent. | originally sent. | |||
| B.1. Single Location Domains | B.1. Single Location Domains | |||
| A common mail system configuration handles all of a domain's users' | A common mail system configuration handles all of a domain's users' | |||
| incoming and outgoing mail through a single MTA or group of MTAs. In | incoming and outgoing mail through a single MTA or group of MTAs. In | |||
| that case, the MTA(s) can be configured to sign outgoing mail with an | that case, the MTA(s) can be configured to sign outgoing mail with an | |||
| Author Signature. | Author Domain Signature. | |||
| In this situation it might be appropriate to publish an ADSP record | In this situation it might be appropriate to publish an ADSP record | |||
| for the domain containing "all", depending on whether the users also | for the domain containing "all", depending on whether the users also | |||
| send mail through other paths that do not apply an Author Signature. | send mail through other paths that do not apply an Author Domain | |||
| Such paths could include MTAs at hotels or hotspot networks used by | Signature. Such paths could include MTAs at hotels or hotspot | |||
| travelling users, web sites that provide "mail an article" features, | networks used by travelling users, web sites that provide "mail an | |||
| user messages sent through mailing lists, or third party mail clients | article" features, user messages sent through mailing lists, or third | |||
| that support multiple user identities. | party mail clients that support multiple user identities. | |||
| B.2. Bulk Mailing Domains | B.2. Bulk Mailing Domains | |||
| Another common configuration uses a domain solely for bulk or | Another common configuration uses a domain solely for bulk or | |||
| broadcast mail, with no individual human users, again typically | broadcast mail, with no individual human users, again typically | |||
| sending all the mail through a single MTA or group of MTAs that can | sending all the mail through a single MTA or group of MTAs that can | |||
| apply an Author Signature. In this case, the domain's management can | apply an Author Domain Signature. In this case, the domain's | |||
| be confident that all of its outgoing mail will be sent through the | management can be confident that all of its outgoing mail will be | |||
| signing MTA. Lacking individual users, the domain is unlikely to | sent through the signing MTA. Lacking individual users, the domain | |||
| participate in mailing lists, but could still send mail through other | is unlikely to participate in mailing lists, but could still send | |||
| paths that might invalidate signatures. | mail through other paths that might invalidate signatures. | |||
| Domain owners often use specialist mailing providers to send their | Domain owners often use specialist mailing providers to send their | |||
| bulk mail. In that case, the mailing provider needs access to a | bulk mail. In that case, the mailing provider needs access to a | |||
| suitable signing key in order to apply an Author Signature. One | suitable signing key in order to apply an Author Domain Signature. | |||
| possible route would be for the domain owner to generate the key and | One possible route would be for the domain owner to generate the key | |||
| give it to the mailing provider. Another would be for the domain to | and give it to the mailing provider. Another would be for the domain | |||
| delegate a subdomain to the mailing provider, for example, | to delegate a subdomain to the mailing provider, for example, | |||
| bigbank.example might delegate email.bigbank.example to such a | bigbank.example might delegate email.bigbank.example to such a | |||
| provider. In that case, the provider can generate the keys and DKIM | provider. In that case, the provider can generate the keys and DKIM | |||
| DNS records itself and use the subdomain in the Author address in the | DNS records itself and use the subdomain in the Author address in the | |||
| mail. | mail. | |||
| Regardless of the DNS and key management strategy chosen, whoever | Regardless of the DNS and key management strategy chosen, whoever | |||
| maintains the DKIM records for the domain could also install an ADSP | maintains the DKIM records for the domain could also install an ADSP | |||
| record containing "all". | record containing "all". | |||
| B.3. Bulk Mailing Domains with Discardable Mail | B.3. Bulk Mailing Domains with Discardable Mail | |||
| In some cases, a domain might sign all of its outgoing mail with an | In some cases, a domain might sign all of its outgoing mail with an | |||
| Author Signature, but prefer that recipient systems discard mail | Author Domain Signature, but prefer that recipient systems discard | |||
| without a valid Author Signature to avoid confusion from mail sent | mail without a valid Author Domain Signature to avoid confusion from | |||
| from sources that do not apply an Author Signature. (In the case of | mail sent from sources that do not apply an Author Domain Signature. | |||
| domains with tightly controlled outgoing mail, this latter kind of | (In the case of domains with tightly controlled outgoing mail, this | |||
| mail is sometimes loosely called "forgeries".) In that case, it | latter kind of mail is sometimes loosely called "forgeries".) In | |||
| might be appropriate to publish an ADSP record containing | that case, it might be appropriate to publish an ADSP record | |||
| "discardable". Note that a domain SHOULD NOT publish a "discardable" | containing "discardable". Note that a domain SHOULD NOT publish a | |||
| record if it wishes to maximize the likelihood that mail from the | "discardable" record if it wishes to maximize the likelihood that | |||
| domain is delivered, since it could cause some fraction of the mail | mail from the domain is delivered, since it could cause some fraction | |||
| the domain sends to be discarded. | of the mail the domain sends to be discarded. | |||
| B.4. Third Party Senders | B.4. Third Party Senders | |||
| Another common use case is for a third party to enter into an | Another common use case is for a third party to enter into an | |||
| agreement whereby that third party will send bulk or other mail on | agreement whereby that third party will send bulk or other mail on | |||
| behalf of a designated author or author domain, using that domain in | behalf of a designated author or author domain, using that domain in | |||
| the RFC5322 From: or other headers. Due to the many and varied | the RFC5322 From: or other headers. Due to the many and varied | |||
| complexities of such agreements, third party signing is not addressed | complexities of such agreements, third party signing is not addressed | |||
| in this specification. | in this specification. | |||
| skipping to change at page 17, line 32 | skipping to change at page 20, line 11 | |||
| This document greatly benefited from comments by Steve Atkins, Jon | This document greatly benefited from comments by Steve Atkins, Jon | |||
| Callas, Dave Crocker, Pasi Eronen, JD Falk, Arvel Hathcock, Ellen | Callas, Dave Crocker, Pasi Eronen, JD Falk, Arvel Hathcock, Ellen | |||
| Siegel, Michael Thomas, and Wietse Venema. | Siegel, Michael Thomas, and Wietse Venema. | |||
| Appendix D. Change Log | Appendix D. Change Log | |||
| *NOTE TO RFC EDITOR: This section may be removed upon publication of | *NOTE TO RFC EDITOR: This section may be removed upon publication of | |||
| this document as an RFC.* | this document as an RFC.* | |||
| D.1. Changes since -ietf-dkim-08 | D.1. Changes since -ietf-dkim-09 | |||
| o Change author signature to use d=. | ||||
| o Change all "author signature" to "author domain signature". | ||||
| o Add authentication results for IANA per Murray K. | ||||
| o Minor editorial clarifications. | ||||
| D.2. Changes since -ietf-dkim-08 | ||||
| o Simplify and clarify interpretation of d= and i=. | o Simplify and clarify interpretation of d= and i=. | |||
| o Add note pointing out that i= usage conflicts with normal usage, | o Add note pointing out that i= usage conflicts with normal usage, | |||
| and suggest workaround. | and suggest workaround. | |||
| o Add note pointing out that you can mechanically add ADSP records | o Add note pointing out that you can mechanically add ADSP records | |||
| for all the subdomains you use. | for all the subdomains you use. | |||
| o in Section 3.2 fix text to say that only an Author Signature | o in Section 3.2 fix text to say that only an Author Signature | |||
| counts. | counts. | |||
| D.2. Changes since -ietf-dkim-07 | D.3. Changes since -ietf-dkim-07 | |||
| Clarify that ADSP records use WSP rather than FWS in 4.1 and 4.2.1. | Clarify that ADSP records use WSP rather than FWS in 4.1 and 4.2.1. | |||
| D.3. Changes since -ietf-dkim-06 | D.4. Changes since -ietf-dkim-06 | |||
| Minor editorial changes suggested by AD: | Minor editorial changes suggested by AD: | |||
| o expand DKIM in title | o expand DKIM in title | |||
| o clarify that there's no subdomain matching in Section 3.1 | o clarify that there's no subdomain matching in Section 3.1 | |||
| o ADSP lookup can terminate without a result if the DNS lookup fails | o ADSP lookup can terminate without a result if the DNS lookup fails | |||
| o random dkim= values are treated as unknown | o random dkim= values are treated as unknown | |||
| skipping to change at page 18, line 27 | skipping to change at page 21, line 14 | |||
| o in 4.2 note WSP not FWS | o in 4.2 note WSP not FWS | |||
| o in 4.3 note that NODATA is not NXDOMAIN | o in 4.3 note that NODATA is not NXDOMAIN | |||
| o add new Appendix A with lookup examples | o add new Appendix A with lookup examples | |||
| Also address Tony's nits in | Also address Tony's nits in | |||
| http://mipassoc.org/pipermail/ietf-dkim/2008q3/010720.html. Make the | http://mipassoc.org/pipermail/ietf-dkim/2008q3/010720.html. Make the | |||
| examples consistently use the .example domain. | examples consistently use the .example domain. | |||
| D.4. Changes since -ietf-dkim-05 | D.5. Changes since -ietf-dkim-05 | |||
| Minor editorial nits: define NOERROR, SERVFAIL, NXDOMAIN as rfc1035 | Minor editorial nits: define NOERROR, SERVFAIL, NXDOMAIN as rfc1035 | |||
| rcodes, change some punctuation, IANA section change IETF Consensus | rcodes, change some punctuation, IANA section change IETF Consensus | |||
| to the new IETF Review. | to the new IETF Review. | |||
| D.5. Changes since -ietf-dkim-04 | D.6. Changes since -ietf-dkim-04 | |||
| o Require dkim at the front of each record. | o Require dkim at the front of each record. | |||
| o Disparage wildcard records. | o Disparage wildcard records. | |||
| o Changed ABNF use of whitespace from FWS back to WSP, dkim-base is | o Changed ABNF use of whitespace from FWS back to WSP, dkim-base is | |||
| wrong. | wrong. | |||
| o RFC 2434 -> 5226, make ref to 4686 informational since it's not | o RFC 2434 -> 5226, make ref to 4686 informational since it's not | |||
| standards track. | standards track. | |||
| o Improve examples with material from Ellen. | o Improve examples with material from Ellen. | |||
| D.6. Changes since -ietf-dkim-03 | D.7. Changes since -ietf-dkim-03 | |||
| o Name change for title and filename, to be ADSP | o Name change for title and filename, to be ADSP | |||
| o String changes throughout, to author Domain signing practices and | o String changes throughout, to author Domain signing practices and | |||
| to aDsp. | to aDsp. | |||
| o Added some keywords. | o Added some keywords. | |||
| o Clarified comparison of local part and domain in Author Address. | o Clarified comparison of local part and domain in Author Address. | |||
| skipping to change at page 19, line 34 | skipping to change at page 22, line 24 | |||
| o Revised wildcard text. | o Revised wildcard text. | |||
| o Removed 't' tag. | o Removed 't' tag. | |||
| o Removed ADSP Flags Registry section. | o Removed ADSP Flags Registry section. | |||
| o Changed ABNF use of whitespace from WSP back to FWS, for | o Changed ABNF use of whitespace from WSP back to FWS, for | |||
| consistency with dkim-base. | consistency with dkim-base. | |||
| D.7. Changes since -ietf-dkim-02 | D.8. Changes since -ietf-dkim-02 | |||
| o Merge in more text from ADSP draft. | o Merge in more text from ADSP draft. | |||
| o Phrase actions as host's rather than checker. | o Phrase actions as host's rather than checker. | |||
| o Explanatory description of i= matching. | o Explanatory description of i= matching. | |||
| o Lookup procedure consistently refers to one ADSP record per | o Lookup procedure consistently refers to one ADSP record per | |||
| lookup. | lookup. | |||
| skipping to change at page 20, line 9 | skipping to change at page 22, line 46 | |||
| o Simplify imports of terms from other RFCs, add Local-part, 4234 -> | o Simplify imports of terms from other RFCs, add Local-part, 4234 -> | |||
| 5234. | 5234. | |||
| o Add usage example appendix. | o Add usage example appendix. | |||
| o Add IANA considerations. | o Add IANA considerations. | |||
| o Update authors list | o Update authors list | |||
| D.8. Changes since -ietf-dkim-ssp-01 | D.9. Changes since -ietf-dkim-ssp-01 | |||
| o Reworded introduction for clarity. | o Reworded introduction for clarity. | |||
| o Various definition clarifications. | o Various definition clarifications. | |||
| o Changed names of practices to unknown, all, and discardable. | o Changed names of practices to unknown, all, and discardable. | |||
| o Removed normative language mandating use of SSP in particular | o Removed normative language mandating use of SSP in particular | |||
| situations (issue 1538). | situations (issue 1538). | |||
| skipping to change at page 21, line 10 | skipping to change at page 23, line 47 | |||
| o Introduced the concepts of "SSP Checker" and "Evaluator". | o Introduced the concepts of "SSP Checker" and "Evaluator". | |||
| o Multiple author case now handled my separate invocations of SSP | o Multiple author case now handled my separate invocations of SSP | |||
| checker by Evaluator (issue 1525). | checker by Evaluator (issue 1525). | |||
| o Removed check to avoid querying top-level domains. | o Removed check to avoid querying top-level domains. | |||
| o Changed ABNF use of whitespace from [FWS] to *WSP (partially | o Changed ABNF use of whitespace from [FWS] to *WSP (partially | |||
| addresses issue 1543). | addresses issue 1543). | |||
| D.9. Changes since -ietf-dkim-ssp-00 | D.10. Changes since -ietf-dkim-ssp-00 | |||
| o Clarified Operation Overview and eliminated use of Legitimate as | o Clarified Operation Overview and eliminated use of Legitimate as | |||
| the counterpart of Suspicious since the words have different | the counterpart of Suspicious since the words have different | |||
| meanings. | meanings. | |||
| o Improved discussion (courtesy of Arvel Hathcock) of the use of TXT | o Improved discussion (courtesy of Arvel Hathcock) of the use of TXT | |||
| records in DNS vs. a new RR type. | records in DNS vs. a new RR type. | |||
| o Clarified publication rules for multilevel names. | o Clarified publication rules for multilevel names. | |||
| skipping to change at page 21, line 39 | skipping to change at page 24, line 28 | |||
| o Added "handling" tag to express alleged sending domain's | o Added "handling" tag to express alleged sending domain's | |||
| preference about handling of Suspicious messages. | preference about handling of Suspicious messages. | |||
| o Clarified handling of SERVFAIL error in SSP check. | o Clarified handling of SERVFAIL error in SSP check. | |||
| o Replaced "entity" with "domain", since with the removal of user- | o Replaced "entity" with "domain", since with the removal of user- | |||
| granularity SSP, the only entities having sender signing policies | granularity SSP, the only entities having sender signing policies | |||
| are domains. | are domains. | |||
| D.10. Changes since -allman-ssp-02 | D.11. Changes since -allman-ssp-02 | |||
| o Removed user-granularity SSP and u= tag. | o Removed user-granularity SSP and u= tag. | |||
| o Replaced DKIMP resource record with a TXT record. | o Replaced DKIMP resource record with a TXT record. | |||
| o Changed name of the primary tag from "p" to "dkim". | o Changed name of the primary tag from "p" to "dkim". | |||
| o Replaced lookup algorithm with one which traverses upward at most | o Replaced lookup algorithm with one which traverses upward at most | |||
| one level. | one level. | |||
| o Added description of records to be published, and effect of | o Added description of records to be published, and effect of | |||
| wildcard records within the domain, on SSP. | wildcard records within the domain, on SSP. | |||
| D.11. Changes since -allman-ssp-01 | D.12. Changes since -allman-ssp-01 | |||
| o Changed term "Sender Signing Policy" to "Sender Signing | o Changed term "Sender Signing Policy" to "Sender Signing | |||
| Practices". | Practices". | |||
| o Changed query methodology to use a separate DNS resource record | o Changed query methodology to use a separate DNS resource record | |||
| type, DKIMP. | type, DKIMP. | |||
| o Changed tag values from SPF-like symbols to words. | o Changed tag values from SPF-like symbols to words. | |||
| o User level policies now default to that of the domain if not | o User level policies now default to that of the domain if not | |||
| specified. | specified. | |||
| o Removed the "Compliance" section since we're still not clear on | o Removed the "Compliance" section since we're still not clear on | |||
| what goes here. | what goes here. | |||
| o Changed the "parent domain" policy to only search up one level | o Changed the "parent domain" policy to only search up one level | |||
| (assumes that subdomains will publish SSP records if appropriate). | (assumes that subdomains will publish SSP records if appropriate). | |||
| o Added detailed description of SSP check procedure. | o Added detailed description of SSP check procedure. | |||
| D.12. Changes since -allman-ssp-00 | D.13. Changes since -allman-ssp-00 | |||
| From a "diff" perspective, the changes are extensive. Semantically, | From a "diff" perspective, the changes are extensive. Semantically, | |||
| the changes are: | the changes are: | |||
| o Added section on "Third-Party Signatures and Mailing Lists" | o Added section on "Third-Party Signatures and Mailing Lists" | |||
| o Added "Compliance" (transferred from -base document). I'm not | o Added "Compliance" (transferred from -base document). I'm not | |||
| clear on what needs to be done here. | clear on what needs to be done here. | |||
| o Extensive restructuring. | o Extensive restructuring. | |||
| End of changes. 43 change blocks. | ||||
| 132 lines changed or deleted | 270 lines changed or added | |||
This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||