I forgot that we need to say what it means when this tag is missing:
p= A vertical-bar separated list of authorized third-party signers
(plain-text; OPTIONAL, default is no third-party signing
restrictions).
When using a policy which permits third-party signatures, this tag
allows you to specify the authorized third-parties. The value can
be a full email address or just a domain name which implies a
wild-carded local part.
Examples: arvel(_at_)altn(_dot_)com|imc.org|earlhood.com
--
Arvel
----- Original Message -----
From: "Arvel Hathcock" <arvel(_at_)altn(_dot_)com>
To: <ietf-mailsig(_at_)imc(_dot_)org>
Sent: Thursday, July 28, 2005 12:35 AM
Subject: SSP - specifying the third-parties
And to extend it further, the SSP should provide the ability to
list which domains are allowed to do third-party signing. Otherwise,
if it is boolean switch, turning on the switch open you up to
spoofing attacks.
Would there be enough room in 512 bytes to effectively do that?
One could not have a huge list, but something must be provided
or third-party signing support would be useless from a security
perspective. It seems 512 bytes should be sufficient.
I agree that some mechanism for specifying the "third-parties" would be
useful. Otherwise, using that policy type would be an open door to abuse.
How about this to start a discussion on it:
p= A vertical-bar separated list of addresses (plain-text; OPTIONAL).
When using a policy which permits third-party signatures, this tag
allows you to constrain the authorized third-
parties. The value can be a full email address or just a domain name
which implies a wild-carded local
part. Examples: arvel(_at_)altn(_dot_)com|imc.org|earlhood.com
--
Arvel