On Sat, 2005-08-27 at 00:18 -0700, Dave Crocker wrote: > Security Role: > > DKIM's basic mechanism performs simple message signing for any identity > wishing to be held accountable for the message. The security function > performed > by the signing is authentication of that asserted identity.
Your list does not offer the possibility of establishing opportunistic identity schemes that could based upon the selective binding of signed message identifiers retained locally. This technique could supplant complex authorization schemes that offer countless exceptions which themselves create security concerns. The advantage found would be a minimization of the protocol overhead by excluding tree-walking domains that provide no indication any record has been published, as in the case of third-party signatures. Binding scope recommendations and automated bindings limited to just the domain and where the domains match offer the possibility of these special cases being cached within the MTA. Opportunistic identification may provide better protections than specific mailbox-domain authorization. > The SSP mechanism provides the security function of authorization, to > determine whether the sending of unsigned messages is authorized or > prohibited. This can work in conjunction with a host name as was done with the HELO. The HELO domain offers assertions of specific mandated authorizations. This could be easily extended to include mandates that all messages will be signed. This may include provisions for sub-domain signing or any- domain signing for that matter. By including a requirement for exposing the host-name, the overhead associated with domain mandates becomes reasonable and would be a means to identify unauthorized servers. There would be an inordinately high overhead associated with attempts to associate mail-box domain authorizations within third-party signed messages. As such, authorizations related to mail-domain authorization offers risks. The high overhead may preclude checking, possibly dangerous exceptions, and in cases where the authorization is denied, expensive support issues. -Doug _______________________________________________ ietf-dkim mailing list http://dkim.org
