ietf-mailsig
[Top] [All Lists]

Re: SSP outbound signing policy

2005-07-29 14:03:17

Earl Hood wrote:

On July 28, 2005 at 14:39, "Hector Santos" wrote:

Take for example with two signatures.  Is this an example of a 3rd party
signing?   What policy controls this?

Using your spoof example:

DKIM-Signature: a=rsa-sha1; s=whatever; d=ispoofyou.org;
       c=simple; q=dns;
       h=Received : From : To : Subject : Date : Message-ID;
       b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ
         VoG4ZHRNiYzR;
 Received: from 10.2.3.4-example.com  [10.2.3.4]
       by submitserver.example.com with SUBMISSION;
       Fri, 11 Jul 2003 21:01:54 -0700 (PDT)
 From: Joe User <joe(_dot_)user(_at_)example(_dot_)com>
 To: Suzie Q <suzie(_at_)shopping(_dot_)example(_dot_)net>
 Subject: I need your help?
 Date: Fri, 11 Jul 2003 21:00:37 -0700 (PDT)
 Message-ID: <20030712040037(_dot_)46341(_dot_)5F8J(_at_)example(_dot_)com>

A SSP lookup for _policy._domainkey.example.com is done.  If order for this
to pass,  example.com must allow for a relaxed/neutral policy.

The above example I provided does not provide an i= tag, so it assumes,
according to the DKIM draft, that i= is equivalent to d=.  The problem
occurs if the signer wants to set i= to the actual identity of the
entity they are signing for if the signer is acting as a third-party
agent.  The DKIM states that i= must be a subdomain of d=, but this
seems restrictive for 3rd-party scenarios where the signer may be in
a different domain.
It's _supposed_ to be restrictive. That is, I don't want earlhood.com to be able
to assert i=mtcc.com without my permission. The way I grant permission is to
create a selector for your signer's key in mtcc.com's zone and then you just
sign as d=mtcc.com even though it's coming from one of your signers.

      Mike

<Prev in Thread] Current Thread [Next in Thread>