ietf-mailsig
[Top] [All Lists]

Re: 3rd party Signers - Definition/Usage

2005-07-28 13:23:26

On July 28, 2005 at 15:37, "Hector Santos" wrote:

I don't know if this has been already discussed and considered by the
DK/DKIM designers, but I don't see a clear definition of what exactly is
"3rd party" or "3rd party signing."

I think a further distinction needs to be made:

A 3rd-parties as relating to the Originating Address and 3rd-parties
not caring about the OA.

For example, in the mailing list scenario, the list software may want
to sign messages wrt to verifying the list and not the OA.  Right now,
DKIM does not support such a scenario since SSP is bound to the OA
and not the identity being signed, which would be the identity of
the list and not the OA.

Problems exist in DKIM with the establishment of verification chains
represented by multiple signatures.  Maybe it is just not able to
support it and such operations are forbidden.  Such scenarios really
complicate things at the MUA level if things like spoofing and phishing
are to be avoided.

What exactly are the scenarios here for 3rd party Signers?

a)  Mailing list server signers?
b)  Forwarding operations MTA signers?
c)  Hosted domains with alternative MSA/MTA signers?
d)  Service bureaus or clearing houses  MTA signers?

Or from a technical standpoint, we have a generic "3rd party" situation when
the:

     "DKIM d=domain"   IS NOT EQUAL  to "ORAD"

Where

    ORAD is the  Originating Responsible Address Domain.

It seems to me that a 3rd party signer needs to look up the ORAD SSP to see
if any 3rd party signing is allowed in the first play.

Yep.

I see a conflict with user addresses whose domain have DKIM policies, but
they use it on 3rd party services.

Tell me if these scenarios sound correct:

1)  A domain has an EXCLUSIVE SSP (o=!),  this means users of this domain
*CAN NOT* use another SERVICE that will might sign the outbound mail with
the ORAD (From:) is set to the user's address.

Side Note: You brush upon the case of who "owns" the SSP records for
the OA (Originating Address -- using term used in DKIM SSP draft).
The restriction you mention is really a negotiation between the OA
and the domain provider for the OA (a legal contract outside DKIM
operation).

2)  A domain has an NEUTRAL SSP (o=~),  this means users of this domain
*MAY* use another SERVICE that will might sign the outbound mail with the
ORAD (From:) is set to the user's address.

In short, it seems that signers need to take into account the ORAD SSP
before any signing takes place to see if its allowed.   If not, then we
really have PHISHING and SPOOFING problems.

Yep.

A scenario you left out is:

  A domain allows signing by a select list of 3rd-party services.

This is basically needed to make any 3rd-party signing usable from
a spoofing perspective.

Sort of related: A potential problem with SSP is that it works at
the domain level and not the address level, so if 3rd-party signing
is allowed for only a select list of entities, that list applies to
all addresses of the domain.

Maybe defining SSPs at the address level is something DKIM does
not want to support.  However, such limitation would appear to be
inconsistent with the ability to defining signing keys at a per
identity/address level.

--ewh

<Prev in Thread] Current Thread [Next in Thread>