Stephen Farrell wrote:
In an offlist exchange with Doug I asked him whether he thinks
the following scenario is an example of his perceived problem
with ssp. He said it is an example, so I wanted to check with
the list about this.
1. Alice works for Alice-Corp who publish a policy to the effect
that they and only they sign all their outbound mail.
2. Alice posts a message to Foo-list which signs the message
itself and drops Alice's signature.
3. Bob receives the message from the Foo-list, signed by the list.
4. Bob looks up Alice-Corp's ssp assertion and considers the
message as having a bad signature.
5. In order to allieviate this problem Alice-Corp are forced
to weaken their policy to allow 3rd party signatures to be
accepted by Bob.
The missing ingredient here is some sort of instruction from Alice
as to how much of a transgression Alice believes that a broken
signature is. For something like statements(_at_)bigbank(_dot_)com, bigbank
probably wants it to be treated very harshly if it is broken. But for
a more mixed environment like the above example, the ssp should
say that although it's a transgression on the stated policy, that it
should instead be treated as a factor in determining the ultimate
disposition rather than _the_ factor (as in the bigbank.com example).
What I've been toying with is whether we could more or less use
the t=y|n flag in the ssp RR to fulfill this role. That is, bigbank.com
would say that they are not in "testing" mode, while others would
remain in that mode. Obviously we don't have to overload the t=
semantics, but it would be a way to test this kind of disposition
advice from the sender.
Mike
_______________________________________________
ietf-dkim mailing list
http://dkim.org