ietf-dkim
[Top] [All Lists]

RE: [ietf-dkim] user level ssp

2006-09-07 09:22:24
No it doesn't.

If a mail has a valid signature the policy record does not need to be read at 
all.

If you say that 'I sign no mail' and you do sign a mail this does not force 
someone to ignore the signature as you suggest. If you sign no mail and say 'I 
sign some mail' the precise same result is achieved as if you said 'I sign no 
mail'.

There is no distinction here. The only policy that is useful to a recipient is 
one that allows them to make deductions from the ABSENCE of a signature. The 
only policy that does that is I sign ALL mail. 

-----Original Message-----
From: Thomas A. Fine 
[mailto:fine(_at_)head(_dot_)cfa(_dot_)harvard(_dot_)edu] 
Sent: Thursday, September 07, 2006 10:48 AM
To: Hallam-Baker, Phillip; ietf-dkim(_at_)mipassoc(_dot_)org
Subject: RE: [ietf-dkim] user level ssp

Hallam-Baker, Phillip wrote:
What is the difference on the recipient side between 'I sign no mail'
and 'I sign some mail'?

Well, in terms of receiving and validating email, then such a 
policy would mean that if signed mail is received AND the 
domain is marked as trusted then no spam filtering is 
required for that email.  Messages without signatures can 
still be accepted, after traditional spam filtering.

Whereas, "I sign no mail" means that it ALL has to go through 
a traditional spam filter.  One could make an argument that 
such a policy would mean that any SIGNED mail from this 
domain can be immediately dropped as invalid.  In fact, one 
could even argue that this is the only reason to have such a 
policy, as it is the only way it could be different from a 
nonexistent policy.

And "I sign all mail" means that unsigned mail can be 
instantly dropped.
This, from a verification point of view is the ideal 
situation, and somewhere down the road, this will essentially 
be the only policy.

So there is a subtle difference at verification time.  But I 
fully agree that I don't expect anyone to use the 
half-and-half policy, because it fails to protect the domain 
or it's reputation.  From the point of view of a mail forger, 
there really is no difference, this domain is still just as 
ripe for the picking.

          tom



_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>