ietf-dkim
[Top] [All Lists]

[ietf-dkim] Re: ISSUE: Rename SSP to ASP

2008-02-12 13:42:51
"Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com> schrieb [...]

Intro intentionally left as my MUA presents it in a reply.

My problem here is that Phill Hallam-Baker is the Author
of this email but verisign.com would be the signer.

Actually somebody using the address <pbaker(_at_)verisign(_dot_)com>
is the purported author, and that person or entity picked
"Hallam-Baker, Phillip" as pretty name.  IMO versisign.com
could be in a position to judge whether they sign the mail.

At least they know that they have a user with the mailbox
"pbaker".  Maybe they don't know if the mail was submitted
by Phill Hallam-Baker, or by somebody else writing mails
in his name on a box permanently or temporarily attached
to their networks.  But DKIM clearly says that it is *not*
supposed to replace (or emulate) S/MIME and OpenPGP.  

The 2822 term <author> has the function to identify the
author(s), there is no guarantee that it is correct, and
DKIM also does not offer this guarantee.  SSP only allows
to reject any unsigned 2822-From: <pbaker(_at_)verisign(_dot_)com> 
IFF the relevant verisign.com admin published a statement
that they always sign @verisign.com and consider unsigned
versions as broken or fakes.

That includes valid mails from the real Phill via another
ESP with Sender: <phill(_at_)else(_dot_)where> and the SSP-protected
<pbaker(_at_)verisign(_dot_)com>

It would be also the moment where I'd ask this relevant
admin if she's on crack or something, but depending on the
domain I might settle to use a Reply-To for my favourite
address with From: <me(_at_)else(_dot_)where>

Apparently this WG doesn't see the point in PRA and 2822,
now they use "author", neither "sender" nor PRA <shrug />
Let's see what happens...

I would be somewhat nervous about making the assertion
that a domain is the author of a message. That might be
exploited for purposes of legal mumbo-jumbo.

The domain signs mails of authors using From-addresses in
this domain, and it is free to assert this "ASP", it does
not say that it "is the author".  Actually domains do not
"sign" or "say" anything, that is already an abstraction.

But "domain is the author" clearly make no sense.  IANAL,
if you are worried add an explanation to the "overview".

 Frank

_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html