On Sun, 2006-07-30 at 16:13 -0700, Michael Thomas wrote:
Dave Crocker wrote:
What proposed SSP flags, configuration and usage will enable a
receiver to know that a particular (rfc2822.From?) domain's messages
must be signed by a particular ISP?
I don't think it's hard to envision
I'll take a crack at this one.
I suggest that we need to explain the basis for that assumption and
that the explanation needs to provide the empirical basis for
believing that it is the right choice.
The From: header value is the identity the naive user assumes to be
the originator due to
On Fri, 28 Jul 2006, Jim Fenton wrote:
william(at)elan.net wrote:
On Fri, 28 Jul 2006, Stephen Farrell wrote:
A similar question to the previous one.
Current proposals involve searching for SSP stuff based on
the domain part of an unsigned message's RFC2822.From element.
Are there any
Hi Arvel,
Arvel Hathcock wrote:
I'll take a crack at this one.
I suggest that we need to explain the basis for that assumption and
that the explanation needs to provide the empirical basis for
believing that it is the right choice.
The From: header value is the identity the naive user
On Mon, 31 Jul 2006, John L wrote:
The statement that I sign only my own mail makes perfect sense.
If I have a message with your valid 3rd party signature, meaning that you've
published the key, and your SSP says you sign only your own mail, which do I
believe? Why or why not?
You
If I have a message with your valid 3rd party signature, meaning that
you've published the key, and your SSP says you sign only your own mail,
which do I believe? Why or why not?
You [optionally] report this error to me and classify this as likely bad
email due to policy.
Why should I
You believe both and apply a receiver policy determined by yourself that
will handle a message with an anomaly,
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
You believe both and apply a receiver policy determined by yourself that
will handle a message with an anomaly,
What is the benefit of allowing people to publish SSP statements that are
either self-evident or wrong?
If I have a message with your valid 3rd party signature, meaning that
On Mon, 31 Jul 2006 10:02:07 -0400 (EDT) John L [EMAIL PROTECTED] wrote:
I have to say that the more discussion I see from advocates of SSP, the
less I think that anyone really understands what it's supposed to do.
So here's the main SSP axiom that I think should be self-evident, but
apparently
On Mon, 2006-07-31 at 10:02 -0400, John L wrote:
If a message has a signature, no amount of SSP can unsign it. It
might be able to say that a signature is missing, e.g., it's signed by
your ISP but the SSP says it's supposed to be signed by you, too.
Agreed.
The other axiom is that any
On Mon, Jul 31, 2006 at 09:59:19AM -0400, [EMAIL PROTECTED] allegedly wrote:
You believe both and apply a receiver policy determined by yourself that
will handle a message with an anomaly,
I'm with John on this. I don't see any merit in constructing a system
that allows anomalies soley for the
I guess I had been making the assumption that an SSP query is only
necessary on a verification failure. Some of the conversations seem to
suggest that an SSP query will be needed regardless of the success of
the verify. Is that the case at all? The uncommon case? The common
case?
Mark.
How about checking SSP first to see if they sign at all :-)?
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Delany
Sent: Monday, July 31,
On Mon, 2006-07-31 at 06:15 -0700, william(at)elan.net wrote:
On Fri, 28 Jul 2006, John L wrote:
A) No mail has an isp.com From: address, but mail with other From:
addresses may have an isp.com signature.
Consider what I believe Y! does in their MUA: if it's got a valid
signature
So here's the main SSP axiom that I think should be self-evident, but
apparently isn't: other than the trivial (but useful) case of I send no
mail, the most that SSP can tell you is that a signature is missing.
I take it then that you see distinguishing between first party and third
party
If a message has a valid signature from the same domain as the From:
domain, can SSP tell you anything useful? If you looked up the SSP on
such a message and it said we send no mail, who do you believe?
(Keep in mind that if the signature is valid, the same DNS that had
the SSP also had the
Mark Delany wrote:
I guess I had been making the assumption that an SSP query is only
necessary on a verification failure. Some of the conversations seem to
suggest that an SSP query will be needed regardless of the success of
the verify. Is that the case at all? The uncommon case? The
I guess I had been making the assumption that an SSP query is only
necessary on a verification failure. Some of the conversations seem to
suggest that an SSP query will be needed regardless of the success of
the verify. Is that the case at all? The uncommon case? The common
case?
Currently,
In [EMAIL PROTECTED] Mark Delany [EMAIL PROTECTED] writes:
On Mon, Jul 31, 2006 at 09:59:19AM -0400, [EMAIL PROTECTED] allegedly wrote:
The statement that I sign only my own mail makes perfect sense.
If I have a message with your valid 3rd party signature, meaning that
you've published
Can you taken a look at the DSAP proposal or the link Hector
provided with the SSP verification Interface Diagram?
It does appear to flow this question
thanks
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
- Original Message -
From: wayne [EMAIL PROTECTED]
To: ietf-dkim@mipassoc.org
Sent: Monday, July 31, 2006 12:43 PM
Subject: Re: [ietf-dkim] Re: 3rd party signing
In [EMAIL PROTECTED] Mark Delany
[EMAIL PROTECTED]
I'm with John on this. I don't see any merit in constructing a system
But the SSP client is not the naive user - its a DKIM-verifier. Does
that change the argument? E.g. in terms of requiring consideration of
other identities or domains found in the message? (Just asking.)
If an SSP client could consider other identities/domains found within
the message and
- Original Message -
From: Dave Crocker [EMAIL PROTECTED]
To: ietf-dkim@mipassoc.org
Sent: Monday, July 31, 2006 12:38 PM
Subject: Re: [ietf-dkim] Are verifiers expected to query SSP on a
successfulverify?
Alas, it was pointed out to me that SSP does indeed have a requirement for
a
On Jul 31, 2006, at 10:13 AM, Hector Santos wrote:
We were seeing quite of few invalids Domainkeys with fake domains
that do not exist. Are we expecting DKIM to be exception to this
obvious abuse rule?
DKIM will not reduce the level of abuse. Bad actors are equally
capable of
Dave Crocker wrote:
Alas, it was pointed out to me that SSP does indeed have a requirement for a
lookup even when the message is signed. This is when there is so-called
third-party signing. (I believe this means when the domain in the
rfc2822.From
does not make the DKIM d= domain.)
I
Making statements about a generalized 'other' that are thus irrebuttable due to
lack of specificity is a bogus rhetorical move.
All SSP can do is to tell the recipient to expect a certain level of security.
I sign some mail is usefull provided you know which mail is and is not signed.
The
On Mon, 31 Jul 2006, wayne wrote:
In [EMAIL PROTECTED] Mark Delany [EMAIL PROTECTED] writes:
On Mon, Jul 31, 2006 at 09:59:19AM -0400, [EMAIL PROTECTED] allegedly wrote:
The statement that I sign only my own mail makes perfect sense.
If I have a message with your valid 3rd party
[EMAIL PROTECTED] wrote:
You believe both and apply a receiver policy determined by yourself that
will handle a message with an anomaly,
Please fortive me for characterizing it this way, but this seems to be an
exemplar of the do whatever feels good school of protocol design.
There is a
Mark Delany wrote:
On Mon, Jul 31, 2006 at 09:59:19AM -0400, [EMAIL PROTECTED] allegedly wrote:
You believe both and apply a receiver policy determined by yourself that
will handle a message with an anomaly,
I'm with John on this. I don't see any merit in constructing a system
that allows
I sign some mail is usefull provided you know which mail is and is not
signed.
That's actually I sign all mail of such-and-such a description.
The selector mechanism I have described allows those semantics.
Indeed, but I suspect I'm not the only one who finds it overcomplex.
Regards,
John
Tell you what John, why don't you just post your own opinions and let the
working group chairs get on with the business of determining what other people
think?
Lets leave the mind reading and the claivoyance to the experts in that field.
-Original Message-
From: John L [mailto:[EMAIL
Tony Hansen wrote:
Dave Crocker wrote:
Alas, it was pointed out to me that SSP does indeed have a requirement for a
lookup even when the message is signed. This is when there is so-called
third-party signing. (I believe this means when the domain in the
rfc2822.From
does not make the
Folks,
As long as I am ranting about the need to non-technical -- that is, functional
-- descriptions of use for records that publish signing practices, I might as
well suggest some (relatively) non-technical terminology to use, so that we have
some consistency:
Author:
Creates message
On Mon, 31 Jul 2006, Dave Crocker wrote:
Author:
Creates message content
Mailing-List: Creates message content, based on existing messages
I have a problem with above line. In my view mail list can not be
considered an author of the message.
Recipient: End-user who may read the
- Original Message -
From: Dave Crocker [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
There is a pretty substantial history that says that Internet
protocols succeed when they are simple and precise and that
their core semantics carry little or no opportunity for
making semantic choices.
- Original Message -
From: Dave Crocker [EMAIL PROTECTED]
To: Tony Hansen [EMAIL PROTECTED]
I would like to see a scenario described that explains exactly
what problem needs to be detected and why it is a compelling,
immediate requirement.
It serves no justice to try put all the work
On Jul 31, 2006, at 12:26 PM, Dave Crocker wrote:
I would like to see a scenario described that explains exactly what
problem needs to be detected and why it is a compelling, immediate
requirement.
=
Problem 1: Spoofs of the 2822.From email-address(es) common with
various
I am not going to recommend whitelisting ANY domain unless I own it.
Thanks,
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: John L [mailto:[EMAIL PROTECTED]
Sent: Monday, July 31, 2006 10:15 PM
To:
On Jul 31, 2006, at 7:15 PM, John L wrote:
As long as we all remember that bad actors can get a domain, populate
dkim keys and ssp then send spam until they are noticed and shutdown.
I hope we all understand that if SSP is useful at all, it's only
about authentication, not reputation.
- Original Message -
From: John Levine [EMAIL PROTECTED]
Message from domain A, signed by A; does SSP matter at all?
Only if domain A intended this, the domain A's SSP will confirm it.
You will not know for sure until you look it up. But there is an valid
argument in that the OA only
On Monday 31 July 2006 21:22, John Levine wrote:
I think this is the key issue then and we ought to focus on it. In
my view almost the entire point of a signing policy is constraining
whose signatures are considere authorized by the domain owner.
I'm assuming that when you say authorized,
41 matches
Mail list logo
