On Feb 16, 2006, at 6:11 PM, Mark Delany wrote:
Not that I know when r= should be used, but, it strikes me that
having an r= specify an address outside of the domain in question
is a potential for DOSing some innocent third-party.
So, should r= only specify a localpart and the domain is implied by
the domain being queried, or if r= specifies a complete address,
should the domain be constrained to be in the policy query domain
Remember, the SSP policy is referenced from an email-address. Having
the 'r=' parameter within the SSP policy is already suspect. When
the message is signed by a third-party, what can an email-address
domain owner do when a problem is being reported? The _only_ entity
able to take corrective action would be the signing-domain, as they
control access. Reporting problems to a hapless entity will easily
result in a DoSing, as they have no ability to take corrective action
to block the miscreants. The localpart should be limited to that of
the signing-domain, which means it does _not_ belong in the SSP record!
There should only be an 'r=' parameter within a record referenced
from the signing-domain. For that matter, an address convention may
handle the requirement.
NOTE WELL: This list operates according to