On Fri, 5 Nov 2004, Dave Crocker wrote:
1. Who is supposed to do the signing? That is, what is the "nature"
of the entity doing the signing?
An agent of the domain of the message's sender. Typical examples will be
the MSA or the outgoing border MTA. A message may be sent more than once
so it should be able to have more than one signature.
There's a problem here that the domain might not be well defined, even in
simple cases of one sender and direct delivery to the final recipient. For
example, we authenticate our users in the context of our message store
service, hermes.cam.ac.uk (which is the email domain that appears in the
Sender: header), but there are lots of virtual domains that users might
use in their From: header, most commonly cam.ac.uk but also dept.cam.ac.uk
and oddities like dotat.at. In the latter cases there's no way that
outside entities can determine that some user @hermes.cam.ac.uk is
entitled to use a From: address @wossname.cam.ac.uk, so if the signature
is tied to the Sender: the recipient will have to trust the signer's
checking of the From:, or rely on accreditation and/or reputation
services. This is related to the kind of problems you get if a message is
From: more than one person (though people who try to send such messages
are skating on thin interop ice already) or sent more than once.
2. What does their signature mean? What "encumbrance" or obligation
does the signatory take on, by doing the signing?
The signature means that the sender of the message was authorized to do so
by the domain identified in the signature.
(This phrasing allows the domain of the sender and the domain of the
signer to be different. I don't know if this would be useful or
confusing.)
3. What is the intended purpose of the signature? What does it
prove and to whom? How is it supposed to be used?
Two parts to this:
(1) If the message has a signature that fails to validate, it should be
possible to reject the message with a very low likelihood that legitimate
messages will be rejected.
(2) If the message has a signature that validates, we can look up the
signer in reputation and/or accreditation databases to help us decide the
message's disposition.
4. What is the intended lifetime for a singature? For how long is
it supposed to be valid?
At least until final delivery into a message store, and perhaps until it
is fetched by the user's MUA. So a minimum of around a month. It should
probably work after transmission via mailing list reflectors, and also
resending and message/rfc822 forwarding, and it should allow for multiple
signatures to cope with the first two of these cases.
Tony.
--
f.a.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
MALIN HEBRIDES: NORTHEAST 4 OR 5 INCREASING 6. RAIN LATER. GOOD BECOMING
MODERATE.