ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [ietf-dkim] ISSUE 1525 -- Clarification about posting by first Author

2008-01-18 10:10:54
from [robert] [Permanent Link] 
Date: Fri, 18 Jan 2008 16:37:53 +0000
From: johnl(_at_)iecc(_dot_)com
To: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] ISSUE 1525 -- Clarification about posting by first 
Author
CC: robert(_at_)barclayfamily(_dot_)com


Indeed.  Does this mean you agree that SSP only applies to unsigned 
messages?  (Actual non-rhetorical question.)



I would agree here, except for one consideration. It makes it possible
to trivially bypass someone's policy by inserting a completely bogus
signature in all messages claiming to be from them. If anyone has a good
suggestion for how to tell the difference between a signature broken in
transit and one just made up ...


As far as DKIM is concerned, there is no difference between a broken
signature and no signature.  A message that arrives with a bogus
signature is unsigned.


Sorry, I think I may have misunderstood your earlier point. When you say SSP 
applies only to unsigned messages were you talking about excluding valid third 
party signatures (I apologize if I misread that part of the email).


If you are talking about third party signatures I guess it comes down to what 
you think the P in SSP stands for. If it is practices it is clear that I cannot 
usefully say anything about anyone else's practices. If it is policy I would 
say it is reasonable for a domain owner to be able to assert the policy that 
noone else is allowed to sign messages on their behalf. Whether it is wise to 
do so is really a matter for the domain ownder to decide for themselves looking 
at their terms of service, how their users (if there are any) actually use 
their domain, etc..

What a receiver does with this information is in my opinion out of scope for 
this discussion. It is essentially just one more useful piece of information to 
throw into the vast sea of information they already have available to help make 
decisions. If they choose to pick a set of third parties who they trust 
regardless of the originating domains assertion that would be up to them. 
SImilarly if they want to pick a list of originating domains they are 
completely unwilling to accept  third party signatures for that is also up to 
them. The policy of the originating domain may be of some help in deciding if 
someone belongs in either of those categories. .

- Robert





R's,
John




_________________________________________________________________
Connect and share in new ways with Windows Live.
http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_012008
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Re: ISSUE 1525 -- Restriction to posting by firstAuthor breaks email semantics, Douglas Otis
Next by Date:  Re: [ietf-dkim] Re: 1: 1 and assertions about third parties, John L
Previous by Thread:  Re: [ietf-dkim] ISSUE 1525 -- Clarification about posting by first Author, John Levine
Next by Thread:  RE: [ietf-dkim] ISSUE 1525 -- Clarification about posting by first Author, John L
Indexes:  [Date] [Thread] [Top] [All Lists]