[Top] [All Lists]

Re: remote signing, was BATV pseudo-Last Call

2008-05-20 11:03:35

There are likely to be cases within a domain where a client wants to
get his address "signed" with BATV but where you don't want to hand
out the shared secret (or private key for that matter) to the client.

Sure, but this is hardly a concern unique to BATV.  DKIM has the same
issue, as I expect does any other content signing scheme.  We didn't
think that we had to define remote signing methods for DKIM, so it's
not clear to me why we have to define them here.


P.S. One way to finesse this would be to have the submission server
echo the changed address in response to a MAIL FROM. That way a
client could get its address "signed" by starting a transaction,
getting the MAIL FROM response, and issuing a RSET. It's a way to do
it with essentially no protocol additions or changes.

That's very clever, but it also seems contrived.  The client can
connect to the submit server, can log into it (I presume, since doing
this for strangers would be a huge security hole), and can even start
an SMTP session, yet it doesn't send the message that way.  While I'm
not denying that such scenarios exist, they're pretty exotic, and I
wouldn't have any confidence that I understood their issues well
enough to invent a remote signing scheme that would work for enough of
them to matter.

Heck, if you just want a hack, all you need is an e-mail address that
is known to return a DSN.  Send it a message through the submit server
you don't want to use for your real mail, and extract your signed
bounce address from the DSN you get back.

<Prev in Thread] Current Thread [Next in Thread>