ietf-mailsig
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Differences in signing

2004-11-05 22:15:07
from [Jim Fenton] [Permanent Link] 

At 09:19 AM 11/4/2004 -0600, Dennis Dayman wrote:


I'm new to this list, but wanted to know if anyone has any information on
the differences between Yahoo! and Cisco signing.


Dennis,

Here are what I see are the significant differences between Identified Internet 
Mail (Cisco) and DomainKeys (Yahoo!):

1. IIM sends the public key along with the message, and contacts the 
originating domain to determine if it's authorized for the email address that 
was used.  DK sends a "selector" along with the message which is used to 
retrieve the key from the originating domain.  We believe the advantages of the 
IIM methodology include: (a) Less data has to be exchanged with the originating 
domain (and the size of the transaction is independent of the size of the key); 
(b) It does not create a server for keys of dubious reliability and might be 
used for other applications which require greater security, and (c) Separates 
the authentication of the message from the authorization of the key, which has 
a small performance benefit and allows a recipient to better diagnose the cause 
of a failure to verify.

2. IIM has defined an HTTP-based method of key authorization in addition to 
DNS.  We believe that DNS-based authorization will be difficult for domains 
that have a lot of user-granularity keys to manage; also for some domains where 
DNS management and email account management are in different organizations.

3. IIM has some additional features to make messages robust against common 
modifications.  IIM copies the header that the signer wishes to certify, so 
that if the "real" headers in the message are modified (by a mailing list, for 
example) the copied headers can be verified and used.  IIM also has an optional 
body byte count which can be used to allow the message to be appended to 
(again, with common mailing list behavior in mind).

There are also some more subtle differences in how multiple signatures, if any, 
are handled and in what order they're evaluated.  And there are the inevitable 
syntax differences.

William Leibzon has compiled an excellent comparison matrix between several 
signing proposals, including IIM and DK.  It is at:

http://www.elan.net/~william/emailsecurity/emailsignatures-comparisonmatrix.htm

-Jim
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  the meaning of a mailsig signature, Michael Thomas
Next by Date:  Re: the meaning of a mailsig signature, Tony Finch
Previous by Thread:  Differences in signing, Dennis Dayman
Next by Thread:  Open-source Identified Internet Mail implementation available, Jim Fenton
Indexes:  [Date] [Thread] [Top] [All Lists]