It may not be enough but it still closes a hole that we need to close (in my
view).
--
Arvel
----- Original Message -----
From: "Earl Hood" <earl(_at_)earlhood(_dot_)com>
To: <ietf-mailsig(_at_)imc(_dot_)org>
Sent: Wednesday, July 27, 2005 9:58 PM
Subject: Re: SSP outbound signing policy
On July 27, 2005 at 21:33, "Hector Santos" wrote:
> o=~ NEUTRAL or RELAXED (signature optional [,No 3rd party?])
> o=- STRONG (signature required, 3rd party allowed)
> o=! EXCLUSIVE (signature required, no 3rd party)
> o=. NEVER (no mail expected)
> o=^ USER
Right. This is why I had the parenthetical 3rd party question mark in
the
Neutral option. The specs does not specifically states neutral policy
allows
for 3rd party signing.
I think your WEAK idea clears it up:
o=? WEAK (signature optional, no third party)
o=~ NEUTRAL or RELAXED (signature optional, 3rd aparty allowed)
I think this is not enough. To enable third-party signing, the
ability to list which signing agents are allowed to sign must
be provided. Otherwise, enabling third-party signing opens you
up to spoof attacks, making third-party signing pointless.
Related to this is that third-party signing would require DKIM to be
modified to state that the i= tag does not need to be a subdomain of
the d= tag since the signing address can be of a different domain
from the signer. Or, if third-party signing is done, the i= tag
should not be specified.
--ewh