On July 28, 2005 at 16:57, Jim Fenton wrote:
And to extend it further, the SSP should provide the ability to
list which domains are allowed to do third-party signing. Otherwise,
if it is boolean switch, turning on the switch open you up to
spoofing attacks.
If someone outside the domain is an authorized sender, how about
delegating a key (selector) to them so that they can apply a first-party
signature? This can either be done on an individual-selector basis, or
it's even possible to delegate a selector hierarchy
(*.outsource._domainkey.example.com) to them.
I'm not seeing how this prevents a malicious domain from spoofing
the OP identity if the OP has third-party signatures enabled?
If you can provide a more detailed example, I would appreciate it.
Thanks,
--ewh