[ietf-dkim] Re: 3rd party signing

[Douglas Otis]

On Jul 28, 2006, at 11:38 AM, Jim Fenton wrote:

> Michael Thomas wrote:
>> John L wrote:
>>> I still don't understand the scenario.  Let's call the domain  
>>> isp.com.
>>> Is it:
>>>
>>> A) No mail has an isp.com From: address, but mail with other  
>>> From: addresses may have an isp.com signature.
>>
>>
>> Consider what I believe Y! does in their MUA: if it's got a valid  
>> signature from isp.com with a From: foo at customer.com, it doesn't  
>> get a nice little message saying that Y! believe it came from  
>> customer.com. Thus the outsourced mail will not be treated on a  
>> par with mail signed on behalf of the domain.
>
> But suppose example.com is not a customer of isp.com but yet a  
> message from example.com has a valid signature from isp.com.  Are  
> you saying that Y! should say that it believes it came from  
> example.com, based on the assertion by isp.com that it only signs  
> third-party messages?

A better ISP could confirm the valid use of an email-address as a low  
cost means of enhancing their services.  This might involve noting  
that the email-address has not been used previously be this user and  
request that they confirm that they receive messages for this address  
by clicking on a link, for example.  With such an ISP, it would be  
safe to list them as a designated signer and still avoid spoofing.

> Maybe I have trimmed off too much context here, I thought we were  
> discussing the value of an "I only sign third-party messages".  I'm  
> with John; I don't see how that provides any useful information to  
> the verifier.

I think that Bill poorly stated the desired policy.  It should have  
been from the perspective of the OA rather than the signer.  This  
should have been that there are no designated signers for the OA of  
this domain.  Whether this domains signs messages for other OAs would  
be independent of this assertion.

-Doug