1st case I sign no mail, It means that if you receive a signed message
from me I am amenable to you discarding it unread.
If you sign mail and publish signing keys, why is SSP that denies the
existence of your own keys credible? If I consider the effort to
generate a key pair, and to install one in the DNS and the other in
the MTA, and actually get the MTA to add valid signatures, versus the
effort for some bozo to stick a broken SSP record into the DNS, I know
which one I would believe.
In the case that I am a 3rd party signer, the domain setup to do
that signing would have a separate administrative domain for
exchanging email about the signing domain.
But nobody I know of is planning to look up the SSP of the signatures.
The SSP we're discussing here keys off the sender address in the
message, for some version of sender.
Under what conditions would you expect someone to look up the SSP for
a 3rd party signature domain? And since you would already have
verified that it's a valid signature, what could SSP tell you that
would be operationally useful?
R's,
John
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html