Dave Crocker:
To explore this approach a bit further, I'm going to wonder about the supposed
need for an SSP check when a signature is present.
If a signature uses a domain related to the author's domain, then we have
no SSP issue. The author's domain is used for assessment. No SSP query need
be
made.
[Plus a straightforward DNS-based delegation mechanism so that the
author's ISP can use a UNIQUE signing domain that relates directly
to the author's domain]
If a signature is not present, THEN an SSP "I sign everything" record
might
be useful (modulo the problem of surviving mailing list.)
If a signature is present, but is not associated with the author's
domain,
then make the assessment based on the signing domain, not the author's domain.
Again, no SSP query is needed.
OK. Start shooting...
I like this. This is very close to what I want: signed mail that
speaks for itself, whether it's first-party or third-party signed.
No batteries required.
Wietse
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html