Earl Hood wrote:
On August 25, 2005 at 09:22, Jim Fenton wrote:
The intent of
restricting third-party signatures is to prevent messages signed by
mailing lists and the like (and particularly by attackers posing as
such) from being considered verified if there isn't also a valid OA
signature.
Exactly. This is why third-party signing should never be enabled.
As DKIM is defined now, no OA should ever enable 3rd-party signing.
This means that any message that is modified in transit, such as those
that pass through this mailing list, would never be considered valid.
Some domains are more concerned with making sure their message gets
through than with the possibility that a third-party signature might be
exploited.
For those where this would matter, then
making the assertion should be required.
You are assuming that a domain owner is aware of DKIM. When DKIM is
deployed, you cannot require all domain owners to set up SSP records
immediately.
I'm confused about who's saying what, apparently. I thought you (Earl)
were advocating a default SSP of "I don't sign anything" which would
require the SSP to be set up at the same time as the selectors.
My statement refers to the default assumption made in the SSP draft
about a non-existent SSP record. The draft states,
If the Sender Signing Policy record does not exist, verifier systems
MUST assume that some messages from this entity are not signed and
the message SHOULD NOT be considered to be Suspicious.
Nothing is said about a valid (non-OA) signature when no SSP record
exists.
When the OA isn't signing everything, I don't understand how policy that
relates to how others apply third-party signatures to those messages is
useful.
Earlier in the draft,
Verifiers checking messages that do not have at least one valid
signature MUST perform a Sender Signing Policy Check by doing a
DNS query to the domain specified by the Originator Address.
Should it state, "do not have at least one valid *OA-based*
signature..."? Otherwise, if the only signature is a valid third-party
signature, no SSP check is required.
I agree. That looks like a bug in the spec. An OA-based signature is
required to bypass the SPC.
-Jim
_______________________________________________
ietf-dkim mailing list
http://dkim.org