----- Original Message -----
From: "Jim Fenton" <fenton(_at_)cisco(_dot_)com>
To: "william(at)elan.net" <william(_at_)elan(_dot_)net>
So if message has Resent-From field would SSP check be done
against From or Resent-From or both?
From. Always From, unless there is a valid signature where the
signing address matches the From address, in which case no SSP
check is required.
Said another way, only for 1st party valid signatures, a policy check is not
required.
The reasoning has been:
To exploit the 1st party key, is to exploit the policy record as well since
the commonality is the domain name, hence same DNS storage. So if the key
was exploited unbeknowst to the verifier, the policy record is more than
likely exploited as well. The exploited key will be authorized by the
exploited policy.
However, policy controls can be added against 3rd party signatures.
The 3rd party threat exploit is when 3rd party validated signings is not an
authorized nor an expected practice by the originating and responsible
domain. The original domain is not exploited in this case.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html