ietf-mailsig
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SSP outbound signing policy

2005-08-01 00:53:54
from [Jim Fenton] [Permanent Link] 

Earl Hood wrote:


I think we see the term "3rd-party" differently.  I view the term in
association of an entities relationship with the OA.  If an entity
is the OA, or an official agent of OA operating in the same domain
(due to legal agreement), the entity is first-party.

3rd-party is any other entity.

So far, so good, I think.


A "3rd-party signature" is a signature created by a 3rd-party that
is either bound to the OA or to something else.
Here is where we differ. I view a signature which is bound to the OA to be first-party, and one which is not to be third-party. This makes it possible for a verifier which is evaluating SSP to determine unambiguously whether third-party policy applies or not. As the SSP specification is currently written, it also allows the verifier to determine whether it is even necessary to retrieve the SSP. 


In the examples provided other messages, a mailing list owner would be
a 3rd-party.  And in this case, a list owner may want to sign messages
where the signature is bound to the message as it is redistributed
to subscribers.  This 3rd-party signature is bound to the list owner
address and not the OA.  In this case, the OAs SSP does not play
a role.
I think it would play a role, and specifically an OA with an EXCLUSIVE signing policy would have difficulty sending to mailing lists which break the first-party signature. This is by design; one of the threats we are trying to address with EXCLUSIVE is that of a rogue "mailing list" which is not re-signing messages at all, but rather trying to pose as a list in order to legitimize a "broken" OA signature which is actually fraudulent. 


If the list owner attempts to bind the signature to the OA, the OAs
SSP plays a role, and if 3rd-party signatures are forbidden, the list
owner can create such a signature.
I don't understand the above paragraph, but hope that my explanation above helped. 


Am I off base here?  Regardless, the term "3rd-party" must be clearly
defined in the DKIM SSP so verifiers can properly honor SSPs.  Also,
it should be clear when one is refering to a "3rd-party entity"
versus a "3rd-party signature".
There is enough confusion about this that we definitely need to work on the text. 

-Jim
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: SSP outbound signing policy, Jim Fenton <=
Previous by Date:  Re: DNS stuff, wayne
Next by Date:  DoS and Replay protection for message signatures, Douglas Otis
Previous by Thread:  Re: DNS stuff, wayne
Next by Thread:  DoS and Replay protection for message signatures, Douglas Otis
Indexes:  [Date] [Thread] [Top] [All Lists]