[ietf-dkim] A few SSP axioms
Scott Kitterman
ietf-dkim at kitterman.com
Mon Jul 31 10:27:00 PDT 2006
On 31 Jul 2006 15:46:41 -0000 John Levine <johnl at iecc.com> wrote:
>>>So here's the main SSP axiom that I think should be self-evident, but
>>>apparently isn't: other than the trivial (but useful) case of I send no
>>>mail, the most that SSP can tell you is that a signature is missing.
>
>>I take it then that you see distinguishing between first party and third
>>party signatures as either being of no value or not being feasible?
>
>I don't see the phrases "first party" or "third party" in there,
>either explictly or otherwise.
>
I think this is the key issue then and we ought to focus on it. In my view
almost the entire point of a signing policy is constraining whose
signatures are considere authorized by the domain owner. If we can't
figure out how to do that, then we can't accomplish anything worth doing.
Policies that assert all messages are signed, with no potential to
constrain which signing domains are authorized are trivially spoofable.
I think that the pre-WG SSP draft shows the way to at least a minimally
useful signing policy approach that makes some distinction and so I don't
think that your assumption is correct. DSAP is another approach that
appears feasible.
The challenge for the group is to determine how and if we can restrict
authorized signing domains. If we can't, we may as well give up on the
whole concept.
Scott K
More information about the ietf-dkim
mailing list