I have to say that the more discussion I see from advocates of SSP, the
less I think that anyone really understands what it's supposed to do.
So here's the main SSP axiom that I think should be self-evident, but
apparently isn't: other than the trivial (but useful) case of I send no
mail, the most that SSP can tell you is that a signature is missing.
If a message has a signature, no amount of SSP can unsign it. It might be
able to say that a signature is missing, e.g., it's signed by your ISP but
the SSP says it's supposed to be signed by you, too.
The other axiom is that any useful SSP statement (again excepting I send
no mail) contains "all". Statements like "I sign some mail" are useless,
because they validate any message, signed or not. Statements like "I sign
no mail" are useless because recipients will already have figured that out
when they see no signatures, or else your SSP is broken if they do see
signatures.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet for
Dummies",
Information Superhighwayman wanna-be, http://johnlevine.com, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html