At 2:00 PM -0400 7/27/06, <Bill(_dot_)Oxley(_at_)cox(_dot_)com> wrote:
My requirements
I sign all
I sign nothing
I sign only 3rd party
I sign all and 3rd party
I sign some mail
My Policy/Practice
I sign all - every piece of mail purported to be from me must be signed
I sign nothing - If mail arrives with a DKIM sig I didn't send it
I sign only 3rd party - I only act as a signing domain for other
domains, I don't sign any of my own mail
I sign all and 3rd party- I sign all my mail and for other parties as
well
I sign some mail - I sign only mail that I am willing to swear that I am
responsible for
I am completely confused by "I sign nothing" and "I sign only 3rd
party" and "I sign some mail". I don't see the value of those to the
recipient.
"I sign nothing" seems weird. If I have something signed by your
domain, and I cannot get the signing key from your domain, "I sign
nothing" adds no value. The signature is invalid. If an attacker can
inject a DKIM header and a key, he can also suppress the SSP response.
"I sign only 3rd party" has the same attack problem as "I sign nothing".
"I sign some mail" doesn't tell the recipient anything useful.
What am I missing?
--Paul Hoffman
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html