ietf-mailsig
[Top] [All Lists]

Re: SSP - specifying the third-parties

2005-07-27 23:01:01

I forgot that we need to say what it means when this tag is missing:

p=  A vertical-bar separated list of authorized third-party signers
(plain-text; OPTIONAL, default is no third-party signing restrictions).
     When using a policy which permits third-party signatures, this tag
     allows you to specify the authorized third-parties.  The value can
     be a full email address or just a domain name which implies a
     wild-carded local part.
     Examples:  arvel(_at_)altn(_dot_)com|imc.org|earlhood.com

--
Arvel


----- Original Message ----- From: "Arvel Hathcock" <arvel(_at_)altn(_dot_)com>
To: <ietf-mailsig(_at_)imc(_dot_)org>
Sent: Thursday, July 28, 2005 12:35 AM
Subject: SSP - specifying the third-parties



And to extend it further, the SSP should provide the ability to
list which domains are allowed to do third-party signing.  Otherwise,
if it is boolean switch, turning on the switch open you up to
spoofing attacks.

Would there be enough room in 512 bytes to effectively do that?

One could not have a huge list, but something must be provided
or third-party signing support would be useless from a security
perspective.  It seems 512 bytes should be sufficient.

I agree that some mechanism for specifying the "third-parties" would be useful. Otherwise, using that policy type would be an open door to abuse. How about this to start a discussion on it:

p=  A vertical-bar separated list of addresses (plain-text; OPTIONAL).
When using a policy which permits third-party signatures, this tag allows you to constrain the authorized third- parties. The value can be a full email address or just a domain name which implies a wild-carded local
     part.  Examples:  arvel(_at_)altn(_dot_)com|imc.org|earlhood.com

--
Arvel









<Prev in Thread] Current Thread [Next in Thread>