----- Original Message -----
From: "Stephen Farrell" <stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie>
To: "Hector Santos" <hsantos(_at_)santronics(_dot_)com>
hmmm, Isn't this "highly exclusive" policy just happens to be the most
powerful protection the DKIM protocol has to offer?
So, you're saying that...
"A says he signs everything"
...is "weaker" than....
"A says he signs everything and no-one else is allowed to sign A's mail"
Yes. I say that would be a weaker policy.
What's the benefit for the signer/originator or the verifier? I just
don't see one.
From a security standpoint, the highest protection is the "Greedy One", the
one with high exclusivity with absolutely no expectation for tampering, gain
of new information, unknown finger prints, etc. This yields the highest
confidence for the DKIM protocol.
All other policies begin relaxed deviations of the highest protection
possible.
However, this does not exclude the possibility of a service bureau who
operates and provides a service as a transparent 3rd party signer in behalf
of the original party. This is also a highly possible scenario for mail
servers who are locally hosting domains and is providing a "Complete DKIM
Signing Service Plan(s)" for this hosted domains.
Plan 1 - Host signs as 3rd party for domain - $.10 per msg
Plan 2 - Host signs as 1st party for domain - $.25 per msg
etc, in Plan 2, the host will basically create the keys for the domain or he
might allow the domain to create it.
This level of possible host/domain service contracts was discussed in quite
detail in the old list among myself, Earl Hood, Jim and a few others. Earl
Hood, as you probably now, is/was the chief architect for the GoodMail
system that touched base with much of what we are discussing here. Probably
doesn't hand around for NDA reasons now.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html