On Thu, 31 Jan 2008 22:00:18 -0000, Hector Santos <[EMAIL PROTECTED]>
wrote:
Charles Lindsey wrote:
Agreed. If the Sender domain was already one of the From domains, there
is no need to consider it further.
But suppose that there were 4 From addresses, from domains which
published no SSP. But for some reason the 4 authors had engaged someone
from domain E to Send it for them. Suppose E publishes a strict SSP.
Then they are going to sign it on the way out, and so it is a 1st party
signature.
Charles, unless I missed you points, don't you see the conflicts in this
scenario? The lack of protocol consistency?
I just have a hard them believing that an organization (DOMAIN E), small
or large, who is going to invest time, money and energy in implementing
DKIM/SSP and go through in what will mostly likely be an extensive
company review process and due diligence of their domain properties and
usage by employees, to decide they want use a DKIM=STRICT policy
accompanied with new company wide stated mandate for all employees and
then turn around and go against its own new company mandate to use the
domain in ways that a) are against the current SSP guidelines and b) are
100% exploitable.
I just don't get it.
All sorts of strange email practices exist which you might have a hard
time believing until they suddenly happen, and even become popular :-( .
In this case, somebody employed by E agreed to send this message on behalf
of the From authors (whether in compliance with E's internal policies, or
not). Maybe the message contained some scurrilous material that the Sender
did not care to sign himself, though he agreed that it ought to be
published in the interests of free speech. At least by sending it through,
and getting it signed by, E made it traceable; maybe the From authors were
regularly spoofed, but had no way of getting their messages signed though
their own providers (maybe they all had google or hotmail addresses, or
alt.net addresses, or the other usual suspects).
I am not suggesting that the scenario is not possible, but that in this
case, DOMAIN E will not volunteer or agree to do this on behalf of the
other four domains simply because it can't, not in this mode of
operation, without violating the SSP specifications and continue to
subject its domain to unprotected exploitation.
E is not being 'exploited' here. All it is afirmoing is exactly what is
implied by its signature and the headers it covers.
Or, if you don't like that scenario, maybe it was a Resent-From header
within E's domain, rather than a Sender (again, with or without the
blessing of E's internal policies).
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email:[EMAIL PROTECTED]: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
