Sorry, just starting this on a new thread:
We need clearer text in the SSP draft siting when a check is required and
when it isn't. Perhaps this language could clear it up some:
"Sender Signing Policy Checks MUST be based on the Originator Address and
are REQUIRED in the following situations:
a) all unsigned messages MUST perform a Sender Signing Policy Check
b) all signed messages in which there are no verifiable signatures MUST
perform a Sender Signing Policy Check
b) all signed messages which contain a verifiable signature in which the
domain of the signing entity is not the same as or a parent domain of the
Originator Address MUST perform a Sender Signing Policy Check
If the message contains a valid signature in which the domain of the signing
entity is the same as or a parent domain of the Originator Address then no
Sender Signing Policy Check need be performed: the verifier SHOULD NOT look
up the Sender Signing Policy and the message SHOULD be considered
non-Suspicious.
Sender Signing Policy Checks are done by doing a DNS query to the domain
specified in the Originator Address. The query MUST be for the search key
"_policy._domainkey.<domain>", where <domain> is the domain of the
Originator Address. The query may return either a DKSSP record or a TXT
record; the DKSSP record MUST override the TXT record."
--
Arvel