----- Original Message -----
From: "Earl Hood" <earl(_at_)earlhood(_dot_)com>
To: <ietf-mailsig(_at_)imc(_dot_)org>
Sent: Wednesday, July 27, 2005 10:58 PM
Subject: Re: SSP outbound signing policy
I think your WEAK idea clears it up:
o=? WEAK (signature optional, no third party)
o=~ NEUTRAL or RELAXED (signature optional, 3rd aparty allowed)
I think this is not enough. To enable third-party signing, the
ability to list which signing agents are allowed to sign must
be provided. Otherwise, enabling third-party signing opens you
up to spoof attacks, making third-party signing pointless.
Related to this is that third-party signing would require DKIM to be
modified to state that the i= tag does not need to be a subdomain of
the d= tag since the signing address can be of a different domain
from the signer. Or, if third-party signing is done, the i= tag
should not be specified.
Before we jump the gun on this, I think we need to clearly define what is
meant by "3rd party" and "3rd party signing."
Take for example with two signatures. Is this an example of a 3rd party
signing? What policy controls this?
Using your spoof example:
DKIM-Signature: a=rsa-sha1; s=whatever; d=ispoofyou.org;
c=simple; q=dns;
h=Received : From : To : Subject : Date : Message-ID;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ
VoG4ZHRNiYzR;
Received: from 10.2.3.4-example.com [10.2.3.4]
by submitserver.example.com with SUBMISSION;
Fri, 11 Jul 2003 21:01:54 -0700 (PDT)
From: Joe User <joe(_dot_)user(_at_)example(_dot_)com>
To: Suzie Q <suzie(_at_)shopping(_dot_)example(_dot_)net>
Subject: I need your help?
Date: Fri, 11 Jul 2003 21:00:37 -0700 (PDT)
Message-ID: <20030712040037(_dot_)46341(_dot_)5F8J(_at_)example(_dot_)com>
A SSP lookup for _policy._domainkey.example.com is done. If order for this
to pass, example.com must allow for a relaxed/neutral policy.
However, if there was a second signature:
DKIM-Signature: a=rsa-sha1; s=whatever; d=ispoofyou.org;
c=simple; q=dns;
h=Received : From : To : Subject : Date : Message-ID;
b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ
VoG4ZHRNiYzR;
Received: from 10.2.3.4-example.com [10.2.3.4]
by submitserver.example.com with SUBMISSION;
Fri, 11 Jul 2003 21:01:54 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; s=key123; d=example.com
c=simple; q=dns;
h=From : To : Subject : Date : Message-ID;
b=ABC....ZYZ;
From: Joe User <joe(_dot_)user(_at_)example(_dot_)com>
To: Suzie Q <suzie(_at_)shopping(_dot_)example(_dot_)net>
Subject: I need your help?
Date: Fri, 11 Jul 2003 21:00:37 -0700 (PDT)
Message-ID: <20030712040037(_dot_)46341(_dot_)5F8J(_at_)example(_dot_)com>
And this second signature passes, we still might need to look up the SSP for
example.com because the policy might suggest no further signing was
expected.
What it might all come down to is we might run into situations where the
user usage of a domain might be restricted in certain areas of the internet.
For example, a mailing list.
What if the mailing list server began to sign all its distributed mail? or
any MTA signing all outgoing mail?
Well, if the originating address domain is not local (a relay maybe), it
might have to lookup the SSP to determine if it is even allowed to sign the
message.
I don't know if this has been considered, but it sure sounds like a new can
of worms.
So we need to discuss what exactly is meant by "3rd party" and "3rd party
signing."
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com