ietf-mailsig
[Top] [All Lists]

Re: SSP outbound signing policy

2005-07-27 21:37:40

It may not be enough but it still closes a hole that we need to close (in my view).

--
Arvel


----- Original Message ----- From: "Earl Hood" <earl(_at_)earlhood(_dot_)com>
To: <ietf-mailsig(_at_)imc(_dot_)org>
Sent: Wednesday, July 27, 2005 9:58 PM
Subject: Re: SSP outbound signing policy



On July 27, 2005 at 21:33, "Hector Santos" wrote:

> o=~ NEUTRAL or RELAXED (signature optional [,No 3rd party?])
> o=-  STRONG  (signature required, 3rd party allowed)
> o=!  EXCLUSIVE (signature required, no 3rd party)
> o=.  NEVER  (no mail expected)
> o=^  USER

Right. This is why I had the parenthetical 3rd party question mark in the Neutral option. The specs does not specifically states neutral policy allows
for 3rd party signing.

I think your WEAK idea clears it up:

    o=?  WEAK (signature optional, no third party)
    o=~ NEUTRAL or RELAXED (signature optional, 3rd aparty allowed)

I think this is not enough.  To enable third-party signing, the
ability to list which signing agents are allowed to sign must
be provided.  Otherwise, enabling third-party signing opens you
up to spoof attacks, making third-party signing pointless.

Related to this is that third-party signing would require DKIM to be
modified to state that the i= tag does not need to be a subdomain of
the d= tag since the signing address can be of a different domain
from the signer.  Or, if third-party signing is done, the i= tag
should not be specified.

--ewh






<Prev in Thread] Current Thread [Next in Thread>