ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Delegated signatures in real life

2006-08-31 11:02:27
from [Hector Santos] [Permanent Link] 

----- Original Message -----
From: "Stephen Farrell" <stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie>
To: "william(at)elan.net" <william(_at_)elan(_dot_)net>



william(at)elan.net wrote:

Chairs - please step up! Please clarify for everyone what the
relation between documents and requirement for implementers would be.


Since base has no normative reference to ssp then there is no
requirement to implement ssp for conformance with base.

Nothing to do with being a chair that - the lack of the
normative reference says it all (as a quick read of the document
should make clear).


At the risk of being in the wrong position here, you do have the tie in with
the TA document with pretty profound statements:

3.2.  Use of Specific Identities

   ....

   DKIM is effective against the use of specific identities only when
   there is an expectation that such messages will, in fact, be signed.
   The primary means for establishing this is the use of Sender Signing
   Practices (SSP)[I-D.allman-dkim-ssp].

4.  Attacks on Message Signing

   Bad actors can be expected to exploit all of the limitations of
   message authentication systems.  They are also likely to be motivated
   to degrade the usefulness of message authentication systems in order
   to hinder their deployment.  Both the signature mechanism itself and
   declarations made regarding use of message signatures (referred to
   here as Sender Signing Policy, Sender Signing Practices or SSP, as
   described in [I-D.ietf-dkim-base] ) can be expected to be the target
   of attacks.

Plus to other references in 4.0 sub-sections indicating how SSP can be
abused and also subdue attacks.

5.  Derived Requirements

   This section lists requirements for DKIM not explicitly stated in the
   above discussion.  These requirements include:

      The store for key and SSP records must be capable of utilizing
      multiple geographically-dispersed servers.

      Key and SSP records must be cacheable, either by the verifier
      requesting them or by other infrastructure.


--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com







_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Delegated signatures in real life, Wietse Venema
Next by Date:  RE: [ietf-dkim] Delegated signatures in real life, Bill.Oxley
Previous by Thread:  Re: [ietf-dkim] Delegated signatures in real life, Stephen Farrell
Next by Thread:  Re: [ietf-dkim] Delegated signatures in real life, Stephen Farrell
Indexes:  [Date] [Thread] [Top] [All Lists]