ietf-dkim
[Top] [All Lists]

[ietf-dkim] policy compliance at domain or identity

2008-03-11 12:19:34

1) What constitutes compliance with an "all" assertion
  a) Author Domain matching
     - global caveat for restricted keys whose identity is not within
       From header to ensure security with or without policy assertions.
     - compatible with RFC 4871 (valid == compliant).
     - valid signatures of non-restricted keys always assert compliance.
     - any identity can be associated with signature.
     - defensive strategies possible to better cope with compromised  
systems.
     - privacy can be retained.
     - ambiguous signatures are never required.

  b) Author Identity matching
     - Some valid signatures not compliant with "all" assertion.
     - Ambiguous signature required to remain compliant with "all"  
assertion.
     - Guessing on-behalf-of identity by examining the header stack  
may be required
       with single ambiguous signatures.
     - prevents reliance upon single signatures when identity clarity  
is desired.
     - may introduce identity exploits when signatures pairs are not  
properly
       overlapped.

-Doug

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>
  • [ietf-dkim] policy compliance at domain or identity, Douglas Otis <=