On Thursday 17 August 2006 11:44, Bill(_dot_)Oxley(_at_)cox(_dot_)com wrote:
Big gaping hole, I may assume that isp.com can determine the
author/originator but how to differentiate or not sign a spoof?
It gets back to is the signer controlled or uncontrolled. Only a controlled
signer is suitable for SSP delegation (this would be a contractual matter
between the ISP and their customers).
Typically, today, ISPs that allow foreign mail identities operate
uncontrolled. That is, any user authorized to use the MSA is allowed to use
arbitrary identities. This would have to change. I expect that for large
ISPs it would be impractical to go back an validate their entire userbase and
so this might be offered as a premium service for the class of customers that
would care.
Operationally for an MSA this is trivial (at least based on my experience with
Postfix, my MTA software of choice), the major challenge is the
administrative effort needed to verify authorization to use an address.
When we get to writing the internet draft with the SSP specification, I will
volunteer now to write the words explaining all this so people have no excuse
if they screw it up. I will keep writing until there is agreement that the
issue and how to mitigate it is described accurately.
Scott K
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html