ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Re: ISSUE: Better definition of "DKIM signing complete" required

2006-11-27 05:06:48
from [Charles Lindsey] [Permanent Link]
On Sun, 26 Nov 2006 21:37:37 -0000, Hector Santos <hsantos(_at_)santronics(_dot_)com> wrote:
We must work on the basis that a DOMAIN may want to use DKIM in a highly exclusive, bar none, 1 to 1 communications environment only. That is the highest protection DKIM an offer. We can't ignore this.
After that, it gets relaxed and murky as to how to keep this DKIM security intact with various relaxed conditions. But we must satisfy the ideal condition and that is the strong and/or exclusive SSP policy.
At this point, we then look at new features to support the DKIM LS implementation such as: 

AFAICS, a List Expander has the following options:

1. Ignore DKIM. Pretend it doesn't exist.
The result of that is that list members (or their ISPs) will start regarding some messages with "suspicion", and maybe drop them. List members wll not be pleased. 

2. Refuse to subscribe (as contributors) sites with exclusive SSP policies.
Will work, but will piss off people from such domains who want to participate. 

3. Manage the list so that signatures still work after passing through.
I.e. don't change 'critical' headers, don't add stuff at the end of bodies, etc. 

4. Resign all messages yourself.
Essentially, you are saying "I realise I may have broken the existing signature, but I assure you I verified the original signature and checked that it complied with the sender's SSP, and my new signature encompasses an X-verified header I added to testify to those checks. Trust me! I am a Good Guy!"
And then you hope that your reputation is good enough that your highly suspicious recipients will indeed believe that you are a "Good Guy".
So, is that a good summary of strategies that have been discussed on this list, or are there others? And are they good enough (#4 seems the best approach to be, or maybe #3 and #4 together)? 

--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131     Web: http://www.cs.man.ac.uk/~chl 
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Re: "I sign everything" yes/no, Jim Fenton
Next by Date:  Re: [ietf-dkim] Re: "I sign everything" yes/no, Charles Lindsey
Previous by Thread:  Re: [ietf-dkim] Re: ISSUE: Better definition of "DKIM signing complete" required, Hector Santos
Next by Thread:  Re: [ietf-dkim] Re: ISSUE: Better definition of "DKIM signing complete" required, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]