YES! However, this checking currently goes contrary
to the wording of the SSP draft. If the signature is
valid, doing a SSP lookup is not required.
I don't see that in the SSP draft. I see this:
"If the message contains a valid signature on behalf of the
Originator Address no Sender Signing Policy Check need
be performed: the verifier SHOULD NOT look up the Sender
Signing Policy and the message SHOULD be considered
non-Suspicious. "
The key is the "on behalf of the Originator Address" language. Since that
isn't the case in the examples we've been discussing an SSP check would
apply.
We need clearer text in the SSP draft siting when a check is required and
when it isn't. Perhaps this language could clear it up some:
"Sender Signing Policy Checks MUST be based on the Originator Address and
are REQUIRED in the following situations:
a) all unsigned messages MUST perform a Sender Signing Policy Check
b) all signed messages in which there are no verifiable signatures MUST
perform a Sender Signing Policy Check
b) all signed messages which contain a verifiable signature in which the
domain of the signing entity is not the same as or a parent domain of the
Originator Address MUST perform a Sender Signing Policy Check
If the message contains a valid signature in which the domain of the signing
entity is the same as or a parent domain of the Originator Address then no
Sender Signing Policy Check need be performed: the verifier SHOULD NOT look
up the Sender Signing Policy and the message SHOULD be considered
non-Suspicious.
Sender Signing Policy Checks are done by doing a DNS query to the domain
specified in the Originator Address. The query MUST be for the search key
"_policy._domainkey.<domain>", where <domain> is the domain of the
Originator Address. The query may return either a DKSSP record or a TXT
record; the DKSSP record MUST override the TXT record."
--
Arvel
----- Original Message -----
From: "Earl Hood" <earl(_at_)earlhood(_dot_)com>
To: <ietf-mailsig(_at_)imc(_dot_)org>
Sent: Wednesday, July 27, 2005 9:30 PM
Subject: Re: The cost of choices
On July 27, 2005 at 19:31, "Arvel Hathcock" wrote:
Yes, this is correct and is the mechanism preventing an attacker from
spoofing your domain in the From header and signing with his own key
thereby
possibly making the recipient assume you sent a signed message.
YES! However, this checking currently goes contrary to the wording
of the SSP draft. If the signature is valid, doing a SSP lookup
is not required.
To deal with the above scenario, SSP lookup must always be done,
even if the signature is valid.
--ewh