Tony,
Thanks. Let's continue the exercise.
Permit me to continue to ask questions. (I am going to refrain from
stating my own preferences, for the moment, because I am more
concerned that the group of us reach some agreement than that my own
preferences prevail. Besides that, I'm not sure I have many at this
point...)
1. Who is supposed to do the signing? That is, what is the
"nature" of the entity doing the signing?
An agent of the domain of the message's sender.
the word "sender" is unfortunately ambiguous. people use it in lots
of different ways, so let's see if we can say this with different
language. For example, what is the "responsibility" of this entity
(not the agent but the thing the agent is an agent of... hmmm. friday
night and no wine yet. so that sort of writing is something of an
accomplishment.)
A message may be sent
more than once so it should be able to have more than one
signature.
Why should more than one signature be allowed?
More than one creates complexity. What benefits are obtained and why
are they enough to offset the extra complexity?
There's a problem here that the domain might not be well defined,
how can a domain not be well defined? i really don't understand.
even in simple cases of one sender and direct delivery to the
final recipient. For example, we authenticate our users in the
context of our message store service, hermes.cam.ac.uk (which is
the email domain that appears in the Sender: header), but there
are lots of virtual domains that users might use in their From:
header, most commonly cam.ac.uk but also dept.cam.ac.uk and
oddities like dotat.at. In the latter cases there's no way that
outside entities can determine that some user @hermes.cam.ac.uk is
entitled to use a From: address @wossname.cam.ac.uk, so if the
"entitled to use a From" presumes a particular security-related goal
from the signature.
how would you phrase that goal and why is it really what mailsig
should be trying to do?
signature is tied to the Sender: the recipient will have to trust
the signer's checking of the From:, or rely on accreditation
and/or reputation services.
This starts down the path of answering my above question. But we need
to go farther down it.
An example question:
Is the goal to "trust the From" or to "trust that the content is
within some bounds of acceptability"? They strike me as different
goals.
2. What does their signature mean? What "encumbrance" or
obligation does the signatory take on, by doing the signing?
The signature means that the sender of the message was authorized
to do so by the domain identified in the signature.
ok. that sounds both simple and useful.
it also strikes me that it does not necessarily mean anything about
the From field, per se, contrary to the implications I was drawing
from your comments above.
(This phrasing allows the domain of the sender and the domain of
the signer to be different. I don't know if this would be useful
or confusing.)
(the ESTG group of heavyweights came to the conclusion that the sig
domain should be recorded in a new field. i'd take that as their
agreeing with your thought.)
3. What is the intended purpose of the signature? What does
it prove and to whom? How is it supposed to be used?
Two parts to this:
(1) If the message has a signature that fails to validate, it
should be possible to reject the message with a very low
likelihood that legitimate messages will be rejected.
(2) If the message has a signature that validates, we can look up
the signer in reputation and/or accreditation databases to help us
decide the message's disposition.
these sound reasonable, but are not really what i meant to ask for.
They are stated pretty much as low-level mechanical choices. What i
am asking is the higher-level purpose of the signature.
some examples might be:
1. the signature specifies who will pay for monetary damages caused
by the message
2. the signature specifies who is asserting that the message is
acceptable
3. the signature specifies that the message is not spam
4. the signature specifies who to contact if there is a problem
5. ...
4. What is the intended lifetime for a singature? For how
long is it supposed to be valid?
At least until final delivery into a message store, and perhaps
until it is fetched by the user's MUA.
"the user" refers to what entity or role within an email scenario?
where is their address specified?
and i assume this means that "delivery" is defined to coincide with
the SMTP point of generating a successful DSN?
So a minimum of around a
month. It should probably work after transmission via mailing list
reflectors,
why?
and also resending and message/rfc822 forwarding,
Why?
For how many decades after initial delivery?
and
it should allow for multiple signatures to cope with the first two
of these cases.
Please explain. What is the point behind having multiple signatures?
d/
--
Dave Crocker
Brandenburg InternetWorking
+1.408.246.8253
dcrocker a t ...
www.brandenburg.com