ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] NO DKIM "POLICY"

2009-02-20 21:43:47
from [Franck Martin] [Permanent Link] 
I see a problem with I allow 3rd party signers. In the case of a mailing list 
or forwarder or remailer, it may sign without the knowledge of the original 
sender which is acceptable. 

----- Original Message ----- 
From: "Hector Santos" <hsantos(_at_)santronics(_dot_)com> 
To: "Franck Martin" <franck(_at_)genius(_dot_)com> 
Cc: "Douglas Otis" <dotis(_at_)mail-abuse(_dot_)org>, 
ietf-dkim(_at_)mipassoc(_dot_)org 
Sent: Saturday, 21 February, 2009 11:59:28 AM (GMT+1200) Auto-Detected 
Subject: Re: [ietf-dkim] NO DKIM "POLICY" 

Franck Martin wrote: 

Any way to tell someone its signature is used in third party signing? 


AFAIK, not in a standard fashion 

As Doug pointed out, you can detect that it appears to be 3rd party, 
but the long debated issue has been how to determine if the 
3rd party was "authorized" to sign for the 1st party domain (Author 
Domain, From:) 

This was the original DKIM idea - to include POLICY ideas like this. 

DKIM was then separated as DKIM-BASE and SSP. SSP had policies like: 

I don't send mail 
I always sign 
I sometimes sign 
I allow 3rd party signers. 

I have a good diagram that illustrates the logic flow when SSP policy 
was considered: 

http://www.winserver.com/public/ssp-old/ssp.htm 

In short, verifiers could do policy DNS lookup and check the "o=" tag: 

o=. NEVER (no mail expected) 
o=? WEAK (signature optional, no third party) 
o=~ NEUTRAL (signature optional, 3rd aparty allowed) 
o=- STRONG (signature required, 3rd party allowed) 
o=! EXCLUSIVE (signature required, no 3rd party) 
o=^ USER 

If it was o=? or o=!, then that means no 3rd parties signing was 
expecting. If it was o=~ or o=-, then 3rd party was allowed, etc. 

But unfortunately, the January 2008 blockbuster shock of the year, out 
of the blue, SSP was stripped down to what we have today ADSP which 
for the most part only has: 

dkim=unknown The domain might sign some or all email. 
dkim=all I always sign, only me. "Don't delete?" 
dkim=discardable same as all "but you can delete?" 

Maybe someone can confirm that, but I'm sure sure that is basically 
all it offers. 

To answer your question - not possible. 

The topic here "NO DKIM" was trying to redeem something of the based 
spec hopefully, the NULL PUBLIC KEY and that idea came from the author 
of DKIM. A customer of ours got noticed from one of their vendors 
about DKIM signing and wanted to know what can they do to isolate it. 

-- 
Sincerely 

Hector Santos 
http://www.santronics.com 



_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] NO DKIM "POLICY", Hector Santos
Next by Date:  Re: [ietf-dkim] NO DKIM "POLICY", Hector Santos
Previous by Thread:  Re: [ietf-dkim] NO DKIM "POLICY", Jeff Macdonald
Next by Thread:  Re: [ietf-dkim] NO DKIM "POLICY", Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]