ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [ietf-dkim] Delegated signatures in real life

2006-08-30 12:27:56
from [Hallam-Baker, Phillip] [Permanent Link] 
First the example john gives is real, but an incomplete description. VeriSign 
is an ESP, the point is that this high trust case is not th most general case, 
it is much more common to outsource bulk mailing and this is done today to low 
trust providers precisely because there is no authentication in email.

We should not rely on an expectation of low security that we are trying to 
change.

Security by analogy and security by comparison fail for well known reasons. 

It is always a mistake to use implementation considerations to filter 
requirements gathering. Gather the requirements then filter.

I know people think they have code to protect. But at this stage I don't think 
ssp will survive unchanged. So why not simplify it while we have the chance? 
Especially when we can do so and meet more requirements by doing so.





Sent from my GoodLink Wireless Handheld (www.good.com)

 -----Original Message-----
From:   John L [mailto:johnl(_at_)iecc(_dot_)com]
Sent:   Tuesday, August 29, 2006 05:52 PM Pacific Standard Time
To:     Hallam-Baker, Phillip
Cc:     DKIM List
Subject:        RE: [ietf-dkim] Delegated signatures in real life


Orbitz might not care about the security issues raised by allowing 
doubleclick to sign messages on behalf of their CEO and other 
executives. Many others will.


Actually, Doubleclick signs for email.orbitz.com, which is not the domain 
where the execs have their addresses.  If there is some security problem 
here, you'll have to explain more clearly what it is.


This is a security area spec, least privilege must apply wherever possible.


Sure, but don't forget that the D in DKIM stands for Domain.  The 
granularity is domains, not mailboxes.  If you want per-mailbox 
signatures, DKIM isn't what you're looking for.

Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet 
for Dummies",
Information Superhighwayman wanna-be, http://johnlevine.com, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Delegated signatures in real life, Hallam-Baker, Phillip
Next by Date:  Re: [ietf-dkim] Delegated signatures in real life, John Levine
Previous by Thread:  Re: [ietf-dkim] Delegated signatures in real life, Hallam-Baker, Phillip
Next by Thread:  Re: [ietf-dkim] Delegated signatures in real life, Scott Kitterman
Indexes:  [Date] [Thread] [Top] [All Lists]