ATPS, coming soon

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Tue, 25 Jan 2011 11:23:29 -0800 (PST)

A new feature coming in v2.3.0 next month is ATPS, or Authorized
Third-Party Signatures.

A portion of the DKIM working group at the IETF thinks this sort of
capacity is really important to the overall success of DKIM. However,
this view is far from unanimous and there's certainly no consensus which
way to go about doing it. Therefore, it seems some experimentation is in
order which is why we're introducing this as a feature for people to try.
If people like it and use it, we can take that information back to the
IETF and progress it toward standardization.

Briefly, ATPS is a way for a domain ("X") to indicate to a receiver that
mail from that domain might be signed by one or more other domains ("Y"),
and this is explicitly endorsed by X. That is, it's a way to declare that
mail from X signed only by Y should still be trusted. You might do this
if you contract a third party to send mail on your behalf but don't want
to give out a private key within your domain, or you might do that for
your users that send mail through a mailing list that invalidates your
signature but re-signs its mail. There are other possibilities as well.

A special build configuration flag will be required for participation.
Then, if you wish to endorse some other domain signing your mail, you will
need to add some records to your nameserver as this is the way you
announce your endorsement. A tool will be provided to assist with this.
Checking for endorsements on arriving mail will be done automatically once
that build-time flag is set.

The statistics system has been modified to report ATPS validations if you
participate. It reports messages for which ATPS was in use and the
endorsement matched, those for which ATPS was in use but there was no
endorsement, and those for which ATPS was not in use or not checked (or
the verifier is not participating).

If you want to try this out early, it is available in the v2.3.0 Beta
releases that are available for download from SourceForge. There is
already one domain using it for outbound mail (this one!). A few Beta
participants are already doing ATPS verification, so contact one of them
if you'd like to do some testing. Posting to the opendkim-dev list is
probably the easiest way to get that started.

A description of how the protocol works is available in the docs directory
of the Beta tarball, or you can view it here:

         http://datatracker.ietf.org/doc/draft-kucherawy-dkim-atps/

-MSK
Received on Tue Jan 25 2011 - 19:23:54 PST

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tue Jan 25 2011 - 21:50:00 PST