RE: Spoofing revisited


Earl Hood wrote:


A SSP check is *only required* if there is an invalid signature.

No where is the SSP draft does it state that an SSP check 
must be done if the signature is valid.

If I am misreading something, please correct my interpretation,


No.  You are correct.  I have been reading into the draft specification that
the signing policy check is required if the message does not have at least
one valid signature issued on behalf of the originator address (ie by the
originator, or a parent of the originator's, domain).  However, the language
of the draft does not state this.

The recent post by Arvel Hathcock (SSP - when to perform) suggests language
that describes the requirements (or at least my understanding of them)
better.

--
James

<Prev in Thread]	Current Thread	[Next in Thread>
Spoofing revisited, Earl Hood Re: Spoofing revisited, Arvel Hathcock Re: Spoofing revisited, Arvel Hathcock Re: Spoofing revisited, Earl Hood Re: Spoofing revisited, william(at)elan.net Re: Spoofing revisited, Arvel Hathcock RE: Spoofing revisited, James Scott Re: Spoofing revisited, Earl Hood Re: Spoofing revisited, Arvel Hathcock RE: Spoofing revisited, James Scott <=

Previous by Date:	Re: revised Proposed Charter, Earl Hood
Next by Date:	Re: revised Proposed Charter, Arvel Hathcock
Previous by Thread:	Re: Spoofing revisited, Arvel Hathcock
Next by Thread:	SSP outbound signing policy, Arvel Hathcock
Indexes:	[Date] [Thread] [Top] [All Lists]