ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Responsibility concerns with Designated Signing Domains

2006-08-25 17:18:59

Again, only a quibble, but maybe a more significant one.

Jim Fenton wrote:
While we aren't defining reputation or accreditation services in this
working group, it has been widely suggested that such services would use
the d= domain on the signature as the "lookup key" for retrieving
reputation or accreditation information.

There is a fundamental difference, then, between key delegation and
delegation via SSP.  In the former (key delegation) case, the party
applying the signature (delegatee) is merely acting as an agent of the
delegator to do the mechanics of signature application.   It is still
the delegator's signature, and the "buck stops" with the delegator in
terms of who has taken responsibility for the message.

From the verifier point of view the buck stops with the delegator.

But if the delegator delegated its private key, or if the signer
supplied its public key to the delegator, then the buck might get
moved between them (from their, and not the verifier, perspective),
depending on the details of how the key delegation happened.

For example, if there is >1 copy of the private key, then, in
buck passing terms, we just don't know which signer signed.

Not an unsurmountable problem of course, and maybe the best
thing for some folks to do in any case. But yet again, each
form of delegation has its issues.

S.
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html