RE: [Asrg] Identified Mail draft

["Robert Rounthwaite" <robertro at exchange.microsoft.com>]

What value do you perceive in including the key in the message? Surely the domain-level verification is useless without the query to the originating domain? 
 
The only case in which I can see this as useful is when the signature is user-level and serves only to identify future mailings purporting to be from the same address as being from the same person. 
 
But that would lead, IMO, to a public key optionally included in the message -- I don't see much benefit in being able to make the domain-level signature check without having talked to the domain owner first -- and including the key with every outgoing mail message from a large domain seems wasteful just to support what seems at best a minor optimization. But maybe I'm missing something...
 
Robert Rounthwaite.

________________________________

From: asrg-bounces at ietf.org on behalf of Jim Fenton
Sent: Tue 6/8/2004 11:02 PM
To: asrg at ietf.org
Subject: [Asrg] Identified Mail draft



I would like to point out a new Internet Draft we have submitted entitled "Identified Internet Mail".  It is a message signing proposal, similar in many respects to DomainKeys.  The Draft is available at http://www.ietf.org/internet-drafts/draft-fenton-identified-mail-00.txt (or your favorite I-D repository).

Some of the key characteristics of this proposal:

- The body and selected headers of the message are signed, with the signature appearing in the message header (ala DomainKeys).

- The public key associated with the signature is included in the message with the signature.  This permits the verification of the message signature to occur independently of a query to the originating domain to determine if the key is a valid signer for the originator's address.

- Verification of keys is done by accessing a Key Registration Server (KRS) for the originating domain which is located via DNS.  DNS is not used for key distribution.  KRS responses can be cached.

- Support for local and third-party "rating services" which apply further scoring on identified messages based on the identified sender's or sender's domain's address.

- Both domain-level and user-level signing are explicitly supported.  It is expected that most domains will sign messages at the domain level somewhere in their MTA infrastructure, but that some domains will use some user-level keys (e.g., for authorizing mail from outsourced functions).  A few "affinity domains" (mail forwarding addresses) could use many user-level keys.

- Message canonicalization to minimize (admittedly not eliminate) signature breakage where intermediate MTAs modify messages

- Signature binding to envelope-from address with mandatory annotation of From address if this differs from envelope-from at verification.  This permits mailing lists that rewrite envelope-from to modify messages (perhaps appending list information) because they will be re-signing them.

Comments, of course, are very welcome.

-Jim


_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg



_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg