[ietf-dkim] SSP Responsibility Delegation - Security Concerns

Hector Santos hsantos at santronics.com
Wed Aug 16 17:00:27 PDT 2006

----- Original Message -----
From: "Jim Fenton" <fenton at cisco.com>

 >> This seems like a minor change for the better.  What weakness
>> can't be fixed by the proper procedures followed by a
>> signing domain?

> The one I described:  the inability for a verifier to distinguish
> an author signature generated by the delegate from a
> third-party signature generated by the delegate operating in
> a different context.

This sounds more like a delegate problem.

If the ISP.NET was going to play the rules, then it would avoid such
activity of signing or resigning mailing list mail when in fact it has an
exclusivity contract with the domain author.com to sign in an exclusive
manner in behalf of author.com.  He's breaking his own security as well as
the domain.

This all goes back to the thread we had in MAILSIG:

3rd party Signers - Definition/Usage

Your scenario is all part of this.

What "contract" does the ISP have with the domain?

Also, by the same token, if the domain "expects" to have to his domain
associated with a mailing list, then it probably should not be using
exclusive contracts with the delegate signer.

Hector Santos, Santronics Software, Inc.

More information about the ietf-dkim mailing list