ietf-mailsig
[Top] [All Lists]

Re: The cost of choices

2005-07-28 17:01:53

Earl Hood wrote:

On July 28, 2005 at 12:10, "James Scott" wrote:

that is, if i delegate arvel.bbiw.net to you, either it validates under bbiw.net or it doesn't. it requires no "policy" publication for others to query.
My understanding of the process from the drafts is that if a message from an
"alleged sender" in domain arvel.bbiw.net was received containing a valid
dkim signature applied by a third party, then the signing policy of the
"alleged sender" needs to be checked to determine whether that sender
permits such third party signatures.

And to extend it further, the SSP should provide the ability to
list which domains are allowed to do third-party signing.  Otherwise,
if it is boolean switch, turning on the switch open you up to
spoofing attacks.
If someone outside the domain is an authorized sender, how about delegating a key (selector) to them so that they can apply a first-party signature? This can either be done on an individual-selector basis, or it's even possible to delegate a selector hierarchy (*.outsource._domainkey.example.com) to them.

-Jim

<Prev in Thread] Current Thread [Next in Thread>