[ietf-dkim] A few SSP axioms
hsantos at santronics.com
Tue Aug 1 10:34:24 PDT 2006
----- Original Message -----
From: "Stephen Farrell" <stephen.farrell at cs.tcd.ie>
To: "Hector Santos" <hsantos at santronics.com>
>> hmmm, Isn't this "highly exclusive" policy just happens to be the most
>> powerful protection the DKIM protocol has to offer?
> So, you're saying that...
> "A says he signs everything"
> ...is "weaker" than....
> "A says he signs everything and no-one else is allowed to sign A's mail"
Yes. I say that would be a weaker policy.
> What's the benefit for the signer/originator or the verifier? I just
> don't see one.
>From a security standpoint, the highest protection is the "Greedy One", the
one with high exclusivity with absolutely no expectation for tampering, gain
of new information, unknown finger prints, etc. This yields the highest
confidence for the DKIM protocol.
All other policies begin relaxed deviations of the highest protection
However, this does not exclude the possibility of a service bureau who
operates and provides a service as a transparent 3rd party signer in behalf
of the original party. This is also a highly possible scenario for mail
servers who are locally hosting domains and is providing a "Complete DKIM
Signing Service Plan(s)" for this hosted domains.
Plan 1 - Host signs as 3rd party for domain - $.10 per msg
Plan 2 - Host signs as 1st party for domain - $.25 per msg
etc, in Plan 2, the host will basically create the keys for the domain or he
might allow the domain to create it.
This level of possible host/domain service contracts was discussed in quite
detail in the old list among myself, Earl Hood, Jim and a few others. Earl
Hood, as you probably now, is/was the chief architect for the GoodMail
system that touched base with much of what we are discussing here. Probably
doesn't hand around for NDA reasons now.
Hector Santos, Santronics Software, Inc.
More information about the ietf-dkim