On Jul 27, 2006, at 2:09 AM, Mark Delany wrote:
On Thu, Jul 27, 2006 at 03:02:55AM -0500, Arvel Hathcock allegedly
wrote:
Especially since one can achieve that same effect by having an
SSP that says "I sign" everything and then don't sign any email.
One can achieve the same effect perhaps but it's not as easy to
understand or explain:
Potential customer question: "How do I communicate that I don't
send mail?"
Answer: "You imply in your policy that, in fact, you do send mail,
that all such mail must be signed, but then because there won't be
any signatures you'll achieve your goal."
Customer scratches head: "Why not just a binary flag that says 'I
don't send mail'?"
So it could be an alias entry in SSP then. One is called "I sign
all" and the other is called "I don't send". They both set the same
bit.
There is a slight difference between these two scenarios. This
difference between "All Signed" and "Don't Send" becomes significant
when deciding what to do with an invalid signature.
A designated signing domain list with a single bit indicating whether
the list is open-ended provides for both "All Signed" or "Don't
Send". The designated signing domain list might also validate
relationships beyond the OA during the envelope examination phase,
for example.
EHLO hostx.dkim-signer.org
MAIL FROM: joe(_at_)example(_dot_)com
...
From: Joe Sixpack <joe(_at_)example(_dot_)com>
DKIM-Signature: <... d=dkim-signer.org>
EXAMPLE.COM policy
DSDL:
DKIM-SIGN
BIG-ISP
EXAMPLE.COM
List-mode: Closed
Finding an address for either the EHLO or a REVERSE DNS host name is
a fairly common first step.
The DSD list offers a means to confirm relationships between more
elements than just the OA and achieve "All signed" or "Don't Send"
with a single bit. When the List-mode is Open, then unlisted,
broken, or non-signed messages may be associated with the OA and
certainly other message elements.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html