Re: DKIM Verification Algorithm



----- Original Message -----
From: "william(at)elan.net" <william(_at_)elan(_dot_)net>
To: "Hector Santos" <hsantos(_at_)santronics(_dot_)com>
Cc: "IETF-MAILSIG" <ietf-mailsig(_at_)imc(_dot_)org>
Sent: Tuesday, August 02, 2005 5:15 AM
Subject: Re: DKIM Verification Algorithm


On Mon, 1 Aug 2005, Hector Santos wrote:

[2] Arvel suggested another policy called WEAK which satisfies a
signature optional but not allowing 3rd party signers.


What is a reasoning behind the need for such option?

I see none since if signature is optional somebody who is trying to
pretend to be you need not resign the email - he can just go ahead
and use your existing email removing your signature from it (or compose
new email pretending to be you).


Of course, I can see the same thing happening with any relaxed policy.

I believe it (WEAK) offers a stronger policy than NEUTRAL which does allow
for a 3rd party signer and a lower trust.  Atleast with the WEAK, it
protects against 3rd party signing (if detected).


             +------------------------------------------------------+
             |            Sender Signing Policy Result              |
 +-----------+----------------------------------------------+-------|
 | result    |  WEAK  | NEUTRAL | STRONG  | EXCLU  | NEVER  | NONE  |
 | verify    |   OPT  | OPT/3PS | REQ/3PS |  REQ   |        |       |
 +-----------+--------+---------+---------+--------+--------+-------|
 | NONE      | accept | accept  | reject  | reject | reject | accept|
 |-----------+--------+---------+---------+--------+--------+-------|
 | PASS      | accept | accept  | accept  | accept | reject | warn  |
 |-----------+--------+---------+---------+--------+--------+-------|
 | PASS 3PS  | reject | warn    | accept  | reject | reject | warn  |
 |-----------+--------+---------+---------+--------+--------+-------|
 | FAIL      | warn   | warn    | warn <.-+> warn  | reject | warn  |
 |-----------+--------+---------+-------+-+--------+--------+-------|
 | FAIL 3PS  | reject | warn    | warn <|-+> reject| reject | warn  |
 +--------------------------------------+---------------------------+

       |   ^
       these all should be reject -+   |
                |
      warn from this column are unclear to me


Not sure which you are referring too?

FAIL verify, EXCLUSIVE?
FAIL 3PS verify, EXCLUSIVE?

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com

<Prev in Thread]	Current Thread	[Next in Thread>
DKIM Verification Algorithm, Hector Santos Re: DKIM Verification Algorithm, william(at)elan.net Re: DKIM Verification Algorithm, Hector Santos <= Re: DKIM Verification Algorithm, william(at)elan.net Re: DKIM Verification Algorithm, Hector Santos Re: DKIM Verification Algorithm, Jim Fenton RE: DKIM Verification Algorithm, Graham Finlayson Re: DKIM Verification Algorithm, Jim Fenton RE: DKIM Verification Algorithm, Graham Finlayson Re: DKIM Verification Algorithm, Jim Fenton

Previous by Date:	Re: Will user-keys cause DNS cache to explode?, william(at)elan.net
Next by Date:	Re: DKIM Verification Algorithm, william(at)elan.net
Previous by Thread:	Re: DKIM Verification Algorithm, william(at)elan.net
Next by Thread:	Re: DKIM Verification Algorithm, william(at)elan.net
Indexes:	[Date] [Thread] [Top] [All Lists]