----- Original Message ----- From: "Stephen Farrell" <[EMAIL PROTECTED]> To: "Hector Santos" <[EMAIL PROTECTED]>
>> hmmm, Isn't this "highly exclusive" policy just happens to be the most >> powerful protection the DKIM protocol has to offer? > > So, you're saying that... > > "A says he signs everything" > > ...is "weaker" than.... > > "A says he signs everything and no-one else is allowed to sign A's mail" Yes. I say that would be a weaker policy. > What's the benefit for the signer/originator or the verifier? I just > don't see one. >From a security standpoint, the highest protection is the "Greedy One", the one with high exclusivity with absolutely no expectation for tampering, gain of new information, unknown finger prints, etc. This yields the highest confidence for the DKIM protocol. All other policies begin relaxed deviations of the highest protection possible. However, this does not exclude the possibility of a service bureau who operates and provides a service as a transparent 3rd party signer in behalf of the original party. This is also a highly possible scenario for mail servers who are locally hosting domains and is providing a "Complete DKIM Signing Service Plan(s)" for this hosted domains. Plan 1 - Host signs as 3rd party for domain - $.10 per msg Plan 2 - Host signs as 1st party for domain - $.25 per msg etc, in Plan 2, the host will basically create the keys for the domain or he might allow the domain to create it. This level of possible host/domain service contracts was discussed in quite detail in the old list among myself, Earl Hood, Jim and a few others. Earl Hood, as you probably now, is/was the chief architect for the GoodMail system that touched base with much of what we are discussing here. Probably doesn't hand around for NDA reasons now. -- Hector Santos, Santronics Software, Inc. http://www.santronics.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
