Hallam-Baker, Phillip wrote:
More basically, we are moving quickly into the morass of
requiring SSP lookups for signed messages, rather than
limiting SSP for use with unsigned messages.
Not at all, you only look at policy if you don't find
> a signature that sufficiently demonstrates authenticity.
If I support verification of algorithm A (and not B) then I only look up
> the policy record if I receive a message with no signature at all
> or a signature that I can't verify (e.g. B) or which fails verification.
My engineering tells me a SSP lookup first at all times will be more
efficient with less overhead and highest benefits across the board if
everyone followed this optimization.
The assumption being made is that all first party valid signatures are
"OK" and do not have vulnerabilities.
Well, that might be the case, after all, if the first party is
exploited, then its SSP is exploited too.
But its a chicken and egg situation that comes with an inherent overhead
- DKIM processing is heads and shoulders HIGHER in overhead than SSP.
The issue is this:
X represents the amount of VALID DKIMS in the haystack of mail
Y represents the amount BAD MAIL in the haystack of mail.
Z represents the amount DKIM signatures in Y
By the very nature of this problem, Y > X, otherwise we wouldn't be
here. Therefore the higher the percentage of Z in Y, the more overhead
you have.
If each domain has a DKIM DOMAIN policy, overhead is reduced simply
based on the fundamental concept that there is more bad mail than good.
Can't ignore that.
This is akin to checking for RCPT first before applying any high
overhead HELO/EHLO or MAIL FROM validation concept.
--
HLS
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html