----- Original Message -----
From: "John R Levine" <johnl(_at_)iecc(_dot_)com>
Subject: Re: [ietf-dkim] Attempted summary, SSP again
I'm increasingly getting the impression that we don't
really understand the semantics of SSP.
Here is the current proposed policies: ...
o=! EXCLUSIVE (signature required, no 3rd party)
Well, OK. if a message has both a signature from the From: domain and
one from someone else, does that pass? Why or why not?
For the EXCLUSIVE policy? Following SSP, it would be a REJECT because
the policy says no 3PS should exist. If it does, then it should be
given the evil eye.
I'm not proposing we solve this here, just that we note that SSP
is a can of worms that we must carefully keep out of the path of
the basic signature work.
I understand what you are saying, but it is what it is. That is what the
DKIM/SSP drafts defines. It is already "solved" per se. All I am showed
are the effective boundary conditions. The protocol is well defined and
the only way to get maximum security benefits is to make sure are
parties consistently follow it. Any deviation from it and the protocol
breaks down with loop holes.
I think its doable and both logical and technical merits. Whether its
feasible, practical to have both signer and verifier policy
verification, that's another issue. But that is what is required to
make what is proposed work.
It is up to us to decide if DKIM/SSP is ok. But if we are going with
this stuff, following SSP is the only way we can make any sense of the
signatures. Anyone can sign anything. But are you authorize to sign
it?
In my view, without SSP, the only signature policy is a EXCLUSIVE one.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
_______________________________________________
ietf-dkim mailing list
http://dkim.org