Arvel Hathcock wrote:
YES! However, this checking currently goes contrary
to the wording of the SSP draft. If the signature is
valid, doing a SSP lookup is not required.
I don't see that in the SSP draft. I see this:
"If the message contains a valid signature on behalf of the
Originator Address no Sender Signing Policy Check need
be performed: the verifier SHOULD NOT look up the Sender
Signing Policy and the message SHOULD be considered
The key is the "on behalf of the Originator Address" language. Since
that isn't the case in the examples we've been discussing an SSP check
This is correct. The SSP lookup can only be bypassed if a valid
signature corresponds to the Originator Address. Otherwise, it MUST be
done. The thought is that having a valid signature for the Originator
Address is a common case, so it optimizes for it.
Since the SSP lookup may be bypassed in some cases, it's not a good
place to publish other types of policy, such as what types of key
management the originating domain uses.