ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] DKIM SSP: Security vulnerability when SSP record does not exist?

2005-08-24 18:01:30
from [Douglas Otis] [Permanent Link] 

On Aug 24, 2005, at 3:43 PM, Dave Crocker wrote:
It is not the SSP statement that is the problem, but confusion about forgery protections. The MTA does not need to attempt to provide the complete solution, but rather provide a solid foundation. 



I have not noticed anyone suggesting that the charter be changed.
Being unable to verifying the domain providing initial access for messages being offered is a is a problem affecting those accepting Internet mail. The verification establishes a domain accountable for subsequent messages with expectations of this domain being able to abate ongoing abuses. A verified domain signature within the message also affords opportunistic identification techniques of the sending entities by mail user agents as a means to thwart the targeted spoofing of prior correspondents.
The DKIM working group will produce standards-track specifications that will permit the authentication of the domain providing initial access for entities sending messages. The authentication process will utilize a dedicated header containing public-key signatures and verified with public keys stored in the accountable domain's DNS hierarchy.
The specification will be based on the draft-allman-dkim-*.txt Internet-Drafts. The working group will also attempt to make upwardly compatible changes with that of the initial draft-delany-domainkeys- base-02.txt Internet draft as deemed useful to improve the viability of services based on these specifications.
The specifications will contain summaries of the threats, requirements and limitations that are associated with the specified mechanism. The DKIM working group will also address mechanisms for advertising "signing policy" so that a recipient can determine whether a valid message signature should be present.
The working group will NOT consider related topics, such as reputation and accreditation systems, and message encryption. It will also NOT consider signatures which are intended to make long- term assertions (beyond the expected transit time of a message) nor signatures which attempt to make strong assertions of the identity of the message author.
The working group may also study whether to adopt a work item for specifying a common mechanism to communicate the results of message verification to the message recipient. 

-Doug


_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] updated threat analysis outline, Douglas Otis
Next by Date:  Re: [ietf-dkim] DKIM SSP: Security vulnerability when SSP record does not exist?, Dave Crocker
Previous by Thread:  Re: [ietf-dkim] DKIM SSP: Security vulnerability when SSP record does not exist?, Dave Crocker
Next by Thread:  Re: [ietf-dkim] DKIM SSP: Security vulnerability when SSP record does not exist?, Dave Crocker
Indexes:  [Date] [Thread] [Top] [All Lists]