[ietf-dkim] NO DKIM "POLICY"
franck at genius.com
Fri Feb 20 18:37:44 PST 2009
I see a problem with I allow 3rd party signers. In the case of a mailing list or forwarder or remailer, it may sign without the knowledge of the original sender which is acceptable.
----- Original Message -----
From: "Hector Santos" <hsantos at santronics.com>
To: "Franck Martin" <franck at genius.com>
Cc: "Douglas Otis" <dotis at mail-abuse.org>, ietf-dkim at mipassoc.org
Sent: Saturday, 21 February, 2009 11:59:28 AM (GMT+1200) Auto-Detected
Subject: Re: [ietf-dkim] NO DKIM "POLICY"
Franck Martin wrote:
> Any way to tell someone its signature is used in third party signing?
AFAIK, not in a standard fashion
As Doug pointed out, you can detect that it appears to be 3rd party,
but the long debated issue has been how to determine if the
3rd party was "authorized" to sign for the 1st party domain (Author
This was the original DKIM idea - to include POLICY ideas like this.
DKIM was then separated as DKIM-BASE and SSP. SSP had policies like:
I don't send mail
I always sign
I sometimes sign
I allow 3rd party signers.
I have a good diagram that illustrates the logic flow when SSP policy
In short, verifiers could do policy DNS lookup and check the "o=" tag:
o=. NEVER (no mail expected)
o=? WEAK (signature optional, no third party)
o=~ NEUTRAL (signature optional, 3rd aparty allowed)
o=- STRONG (signature required, 3rd party allowed)
o=! EXCLUSIVE (signature required, no 3rd party)
If it was o=? or o=!, then that means no 3rd parties signing was
expecting. If it was o=~ or o=-, then 3rd party was allowed, etc.
But unfortunately, the January 2008 blockbuster shock of the year, out
of the blue, SSP was stripped down to what we have today ADSP which
for the most part only has:
dkim=unknown The domain might sign some or all email.
dkim=all I always sign, only me. "Don't delete?"
dkim=discardable same as all "but you can delete?"
Maybe someone can confirm that, but I'm sure sure that is basically
all it offers.
To answer your question - not possible.
The topic here "NO DKIM" was trying to redeem something of the based
spec hopefully, the NULL PUBLIC KEY and that idea came from the author
of DKIM. A customer of ours got noticed from one of their vendors
about DKIM signing and wanted to know what can they do to isolate it.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ietf-dkim