But suppose example.com is not a customer of isp.com but yet a message
from example.com has a valid signature from isp.com. Are you saying
that Y! should say that it believes it came from example.com, based on
the assertion by isp.com that it only signs third-party messages?
We certainly seem to have a lot of ambiguity if not confusion about
If a receiver is going to be looking up SSP data, is it going to look up
the domain in a message's signature? In the From: line? In some PRA-ish
function of various headers? All of the above? Some of the above in a
fixed order? Some of the above in an implementation-dependent order?
Can an additional signature ever decrease a message's reputation? I would
If a message has a valid signature from the same domain as the From:
domain, can SSP tell you anything useful? If you looked up the SSP on
such a message and it said "we send no mail", who do you believe? (Keep
in mind that if the signature is valid, the same DNS that had the SSP also
had the DKIM key.)
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet for
Information Superhighwayman wanna-be, http://johnlevine.com, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.
NOTE WELL: This list operates according to