[ietf-dkim] A proposal for restructuring SSP

Hector Santos hsantos at santronics.com
Mon Jan 28 10:04:42 PST 2008 

John Levine wrote:
>> I will state <LOUDLY> that without the ability to handle 3rd party
>> signing statements, SSP is useless to me.</LOUDLY>
> 
> You know that hasn't been in any of the drafts, don't you?

I have no idea what you are thinking John, but all the POLICY I-D 
drafts, starting with the original SSP-00, the derivative DSAP, and the 
updated SSP-01, all had information regarding 3rd party signing 
expectations and controls.

Starting with SSP-00, it had the explicit policies:

    o=~  NEUTRAL (signature optional, 3rd party allowed)
    o=-  STRONG  (signature required, 3rd party allowed)
    o=!  EXCLUSIVE (signature required, no 3rd party)
    o=.  NEVER or NOMAIL (no mail expected)
    o=^  USER
    o=?  WEAK (signature optional, no third party, PROPOSED)

Quite often, some of the best ideas are the initial ones!!

With all the discussions, a derivative draft called DSAP was written 
focusing on the security and protocol consistency of DKIM:

    From the viewpoint of the verifier, when a message is received, there
    are two basic pieces of signature information to be of interest when
    analyzing the transaction:

    o  Original Party Signatures (OP)

       *  never expected
       *  always expected
       *  optional

    o  3rd Party Signatures (3P)

       *  never expected
       *  always expected
       *  optional

    When the two signature types are combines, the possible policies are
    listed in this following table:

     +=================================================================+
     | op=         | 3p=        | Domain Policy Semantics              |
     |=================================================================|
     | empty       | empty      | No mail expected                     |
     |-----------------------------------------------------------------|
     | never       | never      | No signing expected                  |
     | never       | always     | Only 3P signing expected             |
     | never       | optional   | Only 3P signing optional             |
     |-----------------------------------------------------------------|
     | always      | never      | OP signature expected                |
     | always      | always     | Both parties expected                |
     | always      | optional   | OP expected, 3P may sign             |
     |-----------------------------------------------------------------|
     | optional    | never      | Only OP signing expected             |
     | optional    | always     | OP expected, 3P expected             |
     | optional    | optional   | Both parties may sign.               |
     +-----------------------------------------------------------------+

These cover all possibilities from what could be expected.

SSP-01 was written and reduced/folded its policies to include:

    DKIM=STRICT

which specifically targets unexpected 3rd party signatures.


-- 
Sincerely

Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

More information about the ietf-dkim mailing list