ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] DKIM SSP: Security vulnerability when SSP record does not exist?

2005-08-19 12:46:30
from [Earl Hood] [Permanent Link] 
On August 19, 2005 at 01:03, Douglas Otis wrote:


Is your view in a nutshell (of what DKIM should be):  When a domain
signs a message, it is saying, "Here is what I got and transmitted."
DKIM only provides a verifiable trace of a message.


The signature indicates a specific message has been transmitted by a
specific administrative domain, to be held accountable for the access
thereby granted.  Additional properties must be premised upon the
governance demonstrated by the accountable domain.


Okay, but I am having some trouble in how accountable a domain will be.
Mail transmission is not necessarily point-to-point, with a message
potentially going through multiple domains before reaching its
final destination.  When a domain signs a message, what level
of accountability is the domain stating?  Can there be different
levels depending on the role the domain plays in the transmission of
the message?


And/or, DKIM should provide verifiability of a message's originating
domain: the initial domain that receives a sender's message for
transmission.


I do not understand what significance you're placing upon "originating
domain." Is this implying a relationship with a mailbox address?


Yes.  The "originating domain" is the first domain to handle the
message.  The sender of the message obtained authorization from the
originating domain to transmit the message.

Since you mention accountability, I believe there should be a different
level of accountability from the originating domain from subsequent
domains that may handle a message during transit.


When the initial domain signs a message, it is saying, "Here is what
the domain-authorized sender submitted to me for
transmission."


Again, I don't understand what is implied by "domain-authorized sender."
Is this suggesting a provider must query the domain in a mailbox-address
for a specific "sender" authorization prior to transmitting the message?


I am talking about the relationship between the domain and the mailbox
users it services.  For a mailbox user to send out a message (through
the given domain), the domain must grant permission for the mailbox
user to do this.  Therefore, the sender is "domain-authorized" to
send messages originating from the given domain.

--ewh
_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] DKIM SSP: Security vulnerability when SSP record does not exist?, John Levine
Next by Date:  [ietf-dkim] what DKIM is --- a personal perspective, Eric Allman
Previous by Thread:  Re: [ietf-dkim] DKIM SSP: Security vulnerability when SSP record does not exist?, Douglas Otis
Next by Thread:  Re: [ietf-dkim] DKIM SSP: Security vulnerability when SSP record does not exist?, Douglas Otis
Indexes:  [Date] [Thread] [Top] [All Lists]