John L wrote:
But suppose example.com is not a customer of isp.com but yet a message
from example.com has a valid signature from isp.com. Are you saying
that Y! should say that it believes it came from example.com, based on
the assertion by isp.com that it only signs third-party messages?
We certainly seem to have a lot of ambiguity if not confusion about
terminology.
If a receiver is going to be looking up SSP data, is it going to look
up the domain in a message's signature? In the From: line? In some
PRA-ish function of various headers? All of the above? Some of the
above in a fixed order? Some of the above in an
implementation-dependent order?
The current requirement as I've captured it is that SSP in only about
RFC2822.From
(1st party) and what you do if there is not a valid signature on behalf
for From. At
least that what I've seen the most consensus for, and I frankly don't
understand any
other definition assuming someone's offered one up.
Can an additional signature ever decrease a message's reputation? I
would argue no.
If a message has a valid signature from the same domain as the From:
domain, can SSP tell you anything useful? If you looked up the SSP on
such a message and it said "we send no mail", who do you believe?
(Keep in mind that if the signature is valid, the same DNS that had
the SSP also had the DKIM key.)
Good question -- does it raise to a protocol requirement or just a
design consideration
to provide an answer?
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html