ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [ietf-dkim] SSP Responsibility Delegation - Security Concerns

2006-08-16 17:18:32
from [Bill.Oxley] [Permanent Link] 
Thanks Doug,


-----Original Message-----
From: Douglas Otis [mailto:dotis(_at_)mail-abuse(_dot_)org]
Sent: Wed 8/16/2006 6:54 PM
To: Oxley, Bill (CCI-Atlanta)
Cc: fenton(_at_)cisco(_dot_)com; ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] SSP Responsibility Delegation - Security Concerns
 

On Aug 16, 2006, at 2:52 PM, <Bill(_dot_)Oxley(_at_)cox(_dot_)com>  
<Bill(_dot_)Oxley(_at_)cox(_dot_)com> wrote:



I must be missing something here,
d=isp.net i=user(_at_)author(_dot_)com the message verifies successfully  
because the isp.net signed it and the SSP=I sign all at isp.net  
indicates it does 3rd party signatures?


The ssp would be referenced from 2822.From domain author.com.  Policy  
is not obtained from the signing domain.

This reference would indicate what domains are designated as being  
authoritative for the 2822.From domain.

This designated list might return DSD: isp.net, *.author.com.

It would be illegal per the base draft for the i=user(_at_)author(_dot_)com to  
be used.  This parameter could be excluded or point to some other  
header that contains an isp.net email-address.

Designating a domain will likely require some knowledge of how the  
domain protects the 2822.From addresses being used.  If there is no  
protection, then anyone could spoof.  Protecting a 2822.From email- 
address could be achieved in a number of ways.  To allow the user  
flexibility, a confirmation similar to that used to subscribe to a  
mailing list could be used per account.  This should be rather simple  
to automate.

All other uses within that domain could then use a separate  
designated domain.  For example signing messages for a list at  
isp.net could have lists.isp.net act as a designated domain for  
isp.net.  This would isolate messages signed by the list from those  
signed on behalf of authenticated accounts.  Conversely, the direct  
accounts could be signed by a designated domain users.isp.net.   
Designated domain lists provide a fair amount of flexibility for  
resolving these types of issues.

-Doug





_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] SSP Responsibility Delegation - Security Concerns, Hector Santos
Next by Date:  Re: [ietf-dkim] SSP Responsibility Delegation - Security Concerns, Michael Thomas
Previous by Thread:  Re: [ietf-dkim] SSP Responsibility Delegation - Security Concerns, Jim Fenton
Next by Thread:  RE: [ietf-dkim] SSP Responsibility Delegation - Security Concerns, Bill.Oxley
Indexes:  [Date] [Thread] [Top] [All Lists]