On 31 Jul 2006 15:46:41 -0000 John Levine <johnl(_at_)iecc(_dot_)com> wrote:
So here's the main SSP axiom that I think should be self-evident, but
apparently isn't: other than the trivial (but useful) case of I send no
mail, the most that SSP can tell you is that a signature is missing.
I take it then that you see distinguishing between first party and third
party signatures as either being of no value or not being feasible?
I don't see the phrases "first party" or "third party" in there,
either explictly or otherwise.
I think this is the key issue then and we ought to focus on it. In my view
almost the entire point of a signing policy is constraining whose
signatures are considere authorized by the domain owner. If we can't
figure out how to do that, then we can't accomplish anything worth doing.
Policies that assert all messages are signed, with no potential to
constrain which signing domains are authorized are trivially spoofable.
I think that the pre-WG SSP draft shows the way to at least a minimally
useful signing policy approach that makes some distinction and so I don't
think that your assumption is correct. DSAP is another approach that
appears feasible.
The challenge for the group is to determine how and if we can restrict
authorized signing domains. If we can't, we may as well give up on the
whole concept.
Scott K
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html