----- Original Message -----
From: "John Levine" <johnl(_at_)iecc(_dot_)com>
Message from domain A, signed by A; does SSP matter at all?
Only if domain A intended this, the domain A's SSP will confirm it.
You will not know for sure until you look it up. But there is an valid
argument in that the OA only signed message, the need for SSP is less, but
doesn't say it isn't needed.
Message from A, signed by B; A's SSP says B signs all its mail
If that is what A says, fine.
Message from A, signed by A and B; does SSP matter? (I hope not.)
It does matter. If A (assuming A is the owner) says B is allowed to sign,
fine. If not, that would be policy violation.
Message from A, signed by C; SSP says nothing about C.
But SSP exist for the OA?
In a non-SSP environment (no lookup is considered), A is is just looking for
trouble.
In a SSP environment (lookup is considered), it depends on what A allows. If
has no policy, in the SSP draft, the default policy is a neutral.
In the DSAP draft, if it says nothing about C, (the 3PL=allow list) then it
depends on the 3P= policy. In order to authorize this signature, the policy
must explicity state what the 3P= policy is. In this case, 3P=ALWAYS or
3P=OPTIONAL
The entire set spectrum of mail policies (boundary conditions) is covered
with:
o Original Party Signatures (OP=)
* NEVER expected
* ALWAYS expected
* OPTIONAL
o 3rd Party Signatures (3P=)
* NEVER expected
* ALWAYS expected
* OPTIONAL
This is consistent with the DKIM-BASE protocol and all the possible
variations of signing.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html