[Top] [All Lists]

Re: [ietf-dkim] SSP Responsibility Delegation - Security Concerns

2006-08-16 17:07:38

----- Original Message -----
From: "Jim Fenton" <fenton(_at_)cisco(_dot_)com>

This seems like a minor change for the better.  What weakness
can't be fixed by the proper procedures followed by a
signing domain?

The one I described:  the inability for a verifier to distinguish
an author signature generated by the delegate from a
third-party signature generated by the delegate operating in
a different context.

This sounds more like a delegate problem.

If the ISP.NET was going to play the rules, then it would avoid such
activity of signing or resigning mailing list mail when in fact it has an
exclusivity contract with the domain to sign in an exclusive
manner in behalf of  He's breaking his own security as well as
the domain.

This all goes back to the thread we had in MAILSIG:

3rd party Signers - Definition/Usage

Your scenario is all part of this.

What "contract" does the ISP have with the domain?

Also, by the same token, if the domain "expects" to have to his domain
associated with a mailing list, then it probably should not be using
exclusive contracts with the delegate signer.

Hector Santos, Santronics Software, Inc.

NOTE WELL: This list operates according to