ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] 6. Proposals - DNS + PKI - Yahoo's "Domain Keys"

2003-12-08 10:36:30
from [Mark Baugher] [Permanent Link]
It's not clear to me what Yahoo is proposing since the descriptions I have read don't make much sense. But the first question I have with any signature proposal is "what does the signature attest to?" The signature might attest to the fact that the sender is legitimately sending from a particular address. Or the signature might make no assertion about the address but only that the message originates from a particular key holder. Or the signature might attest to the fact that the message originates from a particular mail operator who has a certain antispam policy. 

Mark

At 09:07 AM 12/8/2003, Jonathan Morton wrote:

There are two basic scenarios, both with flaws:
1.) The MTA signs the message: This is problematic in the "traveling salesperson" type scenario, because often then cannot use their company mail server due to ISP filtering, etc. 

2.) The MUA signs the message:  This yields one of two subproblems:
2.a.) The MUA signs using a "per-user" key : You now have to maintain in DNS several thousand keys for your large organizations 2.b.) The MUA signs using a "domain-wide" key : Every time you fire an employee you have to change the key or risk its misuse 

or:
3) The signing is done by the MUA, but the key and crypto are all done by a separate entity, which I have called an MAA in the past. The MUA authenticates to the MAA and sends a digest of the message, then gets a signature back to attach to the message. The MAA may be physically colocated on the MTA, but is logically separate, uses a different protocol, and should avoid filtering by most ISPs.
This last scenario is what I suggested some time ago, and may yet be used as a component of the consent framework. 

--------------------------------------------------------------
from:     Jonathan "Chromatix" Morton
mail:     chromi(_at_)chromatix(_dot_)demon(_dot_)co(_dot_)uk
website:  http://www.chromatix.uklinux.net/
tagline:  The key to knowledge is not to rely on people to teach you it.


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg




_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] 6. Proposals - DNS + PKI - Yahoo's "Domain Keys", Jonathan Morton
Next by Date:  Re: [Asrg] 6. Proposals - DNS + PKI - Yahoo's "Domain Keys", Alan DeKok
Previous by Thread:  Re: [Asrg] 6. Proposals - DNS + PKI - Yahoo's "Domain Keys", Jonathan Morton
Next by Thread:  Re: [Asrg] 6. Proposals - DNS + PKI - Yahoo's "Domain Keys", Alan DeKok
Indexes:  [Date] [Thread] [Top] [All Lists]