ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Re: Collection of use cases for SSP requirements

2006-11-17 08:13:30
from [Wietse Venema] [Permanent Link] 
Frank Ellermann:

Wietse Venema wrote:
 

My understanding is that DKIM-base can produce only two results:
signature verification succeeds or signature verification fails.


Where fails includes cases like no signature at all, yes.  But we
have first party (0 or 1) signatures, and third party signatures
(0 or more), and valid signatures from unknown strangers are not
relevant for receivers.


expanding these two results into >2 involves information outside
DKIM-base.


Yes, we're in an SSP thread, that's info outside BASE.  For some
mail claiming to be "from" paypal there are more than two cases:

It can have a valid Paypal signature (assuming you know paypal)
It can have a broken or no Paypal signature
It can have another signature from somebody you know
It can have another signature from somebody you don't know
Any valid signature you don't know can be from a bad actor


My understanding is that SSP provides statements by the rfc822.from
domain, about domains that they know, and that sign their mail.

Specifically, SSP does not answer the following questions:

1 - Do I know the signing party. Finding the signing domain listed
    in the rfc822.from's SSP record does not mean that I "know"
    the signing domain: the bad guys can use SSP too. The answer
    requires information outside SSP and outside DKIM-base.

2 - Is the signing party a bad actor. I don't recall the SSP design
    has a feature to say "caution: example.com is a bad actor". Such
    information could be provided by SSP if it were suitably extended.

3 - Is the signing party a good actor. Such statements are meaningless
    unless we already know and trust the rfc822.from domain. The answer
    requires information outside SSP and outside DKIM-base.

SSP allows us to expand DKIM-base's two results into just five:

1 - no valid signature                   (DKIM-base sans SSP)
2 - no valid signature, SSP requires one (DKIM-base plus SSP)
3 - valid signature                      (DKIM-base sans SSP)
4 - valid signature, blessed by SSP      (DKIM-base plus SSP)
5 - valid signature, not blessed by SSP  (DKIM-base plus SSP)

I hope that this bottom-up analysis will help to clarify what
information DKIM-base and SSP actually provide. Corrections are
of course welcome.

        Wietse
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Collection of use cases for SSP requirements, Michael Thomas
Next by Date:  Re: [ietf-dkim] Collection of use cases for SSP requirements, Wietse Venema
Previous by Thread:  [ietf-dkim] Re: Collection of use cases for SSP requirements, Frank Ellermann
Next by Thread:  [ietf-dkim] Re: Collection of use cases for SSP requirements, Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]