ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ietf-dkim] ISSUE: SSP-02:Author Signature scope too narrow (Updates ISSUE 1519)

2008-02-11 19:20:51
from [Douglas Otis] [Permanent Link] 
See:
https://rt.psg.com/Ticket/Display.html?id=1519

SSP-02:
2.8. Author Signature (too restrictive)

 An "Author Signature" is any Valid Signature where the identity of
 the user or agent on behalf of which the message is signed (listed in
 the "i=" tag or its default value from the "d=" tag) matches an
 Author Address in the message.
The structure of the draft has changed for both all and strict. In reviewing the draft, the definition used in ASP-00 provides a far less problematic Author Signature definition. 
See:
http://tools.ietf.org/html/draft-levine-asp-00

2.8. Author Signature (too simple)

 An "Author Signature" is any Valid Signature where the signing domain
 (listed in the "i=" tag if present, otherwise its default value,
 consisting of the value of the "d=" tag) matches the domain of an
 Author Address.
While the ASP definition is much better than the current SSP definition, other definitions can better recognize the signing domain as being authoritative for what messages are compliant with their signing policy. The increased scope would allow greater freedom for domains that partition users into separate sub-domains where different policies are asserted. When the From email-address domain applies a signature to the message, this indicates the message is compliant with their signing policies. There might be a desire to limit the scope of this compliance to assure the scope of the signatures compliance is constrained by the key's g= and t= parameters such that the key being referenced could have been used for the Author Address as well. 

2.8. Author Signature

Full scope Author Signature definition: (recommended)

 An "Author Signature" is any Valid Signature where the signing domain
 (listed in the "d=" tag) matches or is above the domain of the
 Author Address.

NON-NORMATIVE DISCUSSION: This definition permits signatures for
local-part restricted keys and sub-domain restricted keys to be
compliant with an assertion that all messages are signed.  The key
restrictions limit the domain's authority to indicate for whom
the signature was added (listed the "i=" tag).


Limited scope Author Signature definition: (conservative)

 An "Author Signature" is any Valid Signature where the signing domain
 (listed in the "d=" tag) matches or is above the domain of the
 Author Address.  The Author Address must also be contained within the
 scope of the key local-part and sub-domain range (listed in the
 key's "g=" and "t=" tags).

NON-NORMATIVE DISCUSSION: The key restrictions limit the domain's
authority to indicate for whom the signature was added (listed the
"i=" tag) as well as limit the ability of restricted keys to be
automatically considered compliant with the domain's signing
polices.

-Doug




_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ietf-dkim] NEW ISSUE: Security Threat: Unexpected Third Party Senders, Hector Santos
Next by Date:  [ietf-dkim] ISSUE: SSP-02: MX Record publishing mandate to reduce DNS overhead for SSP Discovery and to detect fraudulent messages, Douglas Otis
Previous by Thread:  [ietf-dkim] NEW ISSUE: Security Threat: Unexpected Third Party Senders, Hector Santos
Next by Thread:  Re: [ietf-dkim] ISSUE: SSP-02:Author Signature scope too narrow (Updates ISSUE 1519), Charles Lindsey
Indexes:  [Date] [Thread] [Top] [All Lists]