[ietf-dkim] SSP = FAILURE DETECTION
wietse at porcupine.org
Fri Sep 8 17:40:58 PDT 2006
> > The purpose of a valid DKIM signature is to identify the party that
> > signed the message.
> Here, you are completely correct.
> > Whether this is a first-party or third-party signature is largely
> > irrelevant.
> Here, you are correct only if you restrict your vision to DKIM-BASE.
> Once we start talking about DKIM-SSP, first-party vs third-party
> becomes extremely relevant.
The importance of first/third party is easily overstated.
Here is an example why first-party signatures can be dangerous.
If I get mail with a perfectly valid first-party DKIM signature,
it could very well be a cleverly disguised domain clone attack
(say, bigbank versus big-bank etc.). Naively believing a valid
first-party DKIM signature can be a costly mistake.
And here is an example why third-party signatures can be safe.
If I receive mail from my bank and I know their signing domain,
then it does not matter what the from domain says. I already know
that the mail comes from the bank, regardless of whether this mail
has a first-party or third-party signature. The signing domain is
the basis for trust.
To summarize: naively believing a valid first-party DKIM signature
can be a costly mistake. The signing domain is a better basis for
More information about the ietf-dkim