I think Jim mentioned this too, but I really like this table
was well. I do have some nits about it though...
Hector Santos wrote:
Legend:
SSP Policies:
NONE (no policy [1])
o=? WEAK (signature optional, no third party, see [2])
o=~ NEUTRAL (signature optional, 3rd party allowed)
o=- STRONG (signature required, 3rd party allowed)
o=! EXCLUSIVE (signature required, no 3rd party)
o=. NEVER (no mail expected)
o=^ USER
[1} a NONE policy is possible where there is no declaration for a SSP.
[2] Arvel suggested another policy called WEAK which satisfies a
signature optional but not allowing 3rd party signers.
Verify Results:
NONE - No signature in mail
PASS - Good Signature, Original Address Signer
PASS 3P3 - Good Signature, 3rd party Signer
FAIL - Bad Signature, Original Address Signer
PASS 3P3 - Bad Signature, 3rd party Signer
and in particular these last two. Specifically, if the treatment
for FAIL or FAIL 3P3 is more favorable than NONE, attackers will
simply put broken signatures into their mail and to get the more
favorable treatment. Trying to divine the difference between a
broken signature and a faked signature, well, requires the
divine :)
Thus:
Table 1.0 - DKIM Verification States illustrates all possible
outcomes for signature verification against SSP.
+------------------------------------------------------+
| Sender Signing Policy Result |
+-----------+----------------------------------------------+-------|
| result | WEAK | NEUTRAL | STRONG | EXCLU | NEVER | NONE |
| verify | OPT | OPT/3PS | REQ/3PS | REQ | | |
+-----------+--------+---------+---------+--------+--------+-------|
| NONE | accept | accept | reject | reject | reject | accept|
|-----------+--------+---------+---------+--------+--------+-------|
| PASS | accept | accept | accept | accept | reject | warn |
|-----------+--------+---------+---------+--------+--------+-------|
| PASS 3PS | reject | warn | accept | reject | reject | warn |
|-----------+--------+---------+---------+--------+--------+-------|
| FAIL | warn | warn | warn | warn | reject | warn |
|-----------+--------+---------+---------+--------+--------+-------|
| FAIL 3PS | reject | warn | warn | reject | reject | warn |
+------------------------------------------------------------------+
I think that the rows of NONE, FAIL, and FAIL 3PS all ought to
be the same. Right?
Another nit is that we probably need to be a little bit more mealy
mouthed about what accept/reject/warn mean. In particular, I don't
think that a receiver policy of "reject" (assumedly a 5xx) would
be feasible any time soon. Take for example this mailing list which
mangles my message even though I have set a policy of o=-; Would
you really reject it? I'd be very hesitant to recommend anything
that drastic.
Mike
_______________________________________________
ietf-dkim mailing list
http://dkim.org