Earl Hood wrote:
I think we see the term "3rd-party" differently. I view the term in
association of an entities relationship with the OA. If an entity
is the OA, or an official agent of OA operating in the same domain
(due to legal agreement), the entity is first-party.
3rd-party is any other entity.
So far, so good, I think.
A "3rd-party signature" is a signature created by a 3rd-party that
is either bound to the OA or to something else.
Here is where we differ. I view a signature which is bound to the OA to
be first-party, and one which is not to be third-party. This makes it
possible for a verifier which is evaluating SSP to determine
unambiguously whether third-party policy applies or not. As the SSP
specification is currently written, it also allows the verifier to
determine whether it is even necessary to retrieve the SSP.
In the examples provided other messages, a mailing list owner would be
a 3rd-party. And in this case, a list owner may want to sign messages
where the signature is bound to the message as it is redistributed
to subscribers. This 3rd-party signature is bound to the list owner
address and not the OA. In this case, the OAs SSP does not play
a role.
I think it would play a role, and specifically an OA with an EXCLUSIVE
signing policy would have difficulty sending to mailing lists which
break the first-party signature. This is by design; one of the threats
we are trying to address with EXCLUSIVE is that of a rogue "mailing
list" which is not re-signing messages at all, but rather trying to pose
as a list in order to legitimize a "broken" OA signature which is
actually fraudulent.
If the list owner attempts to bind the signature to the OA, the OAs
SSP plays a role, and if 3rd-party signatures are forbidden, the list
owner can create such a signature.
I don't understand the above paragraph, but hope that my explanation
above helped.
Am I off base here? Regardless, the term "3rd-party" must be clearly
defined in the DKIM SSP so verifiers can properly honor SSPs. Also,
it should be clear when one is refering to a "3rd-party entity"
versus a "3rd-party signature".
There is enough confusion about this that we definitely need to work on
the text.
-Jim