I'm lost, but I'll answer what I can...
Douglas Otis wrote:
On Nov 27, 2007, at 1:04 PM, Jim Fenton wrote:
What is relevant to SSP is whether the signer is asserting that the
From: header field is authentic. Or more specifically, whether the
signer is making that assertion in the specific case when the address
in the From: header field is the same as the signing address. SSP
has no other dependency on whether the signer is asserting validity
or is "merely" taking responsibility.
The question is who taking responsibility and for what?
Does the signing domain indicated From email-address use is
restricted? If so, this could then shift content responsibility onto
the From email-address identity. If not, the signing domain is only
responsible for permitting some unknown users access. Clearly,
granting access says very little about content. Just granting access
without email-address restrictions requires reputations to be based
upon a collective behaviour of users to which they grant access.
SSP does, indeed, deal specifically with the From email address. I have
no idea what this might have to do with responsibility for content.
Part of me wants to say this it's vaguely silly for a signer to take
responsibility for a message that purports to come from themselves,
but which they didn't send. But I suppose RFC 4871 doesn't
explicitly call this out.
You are being rather vague by using the terms "who" and "send". A
signing domain does not author message content. A signing domain
might restrict From email-address use to just authenticated owners,
but it may not.
Let me state it differently then: If you're publishing an SSP record
other than "unknown", make sure you're not applying an Originator
Signature to spoofed mail.
If there is consensus that this indeed isn't clear, we could easily
add verbiage to SSP stating that domains publishing SSP records other
than "unknown" MUST additionally ensure that they only sign messages
purporting to come from themselves when the address in the From:
header field is valid.
In other words, use of From email-addresses has been restricted to
authenticated owners. What happens when they wish to send a message
where a user is not authenticated, but where use of some critical
email-addresses are restricted. There are currently no existing
semantics to permit a mixed assertion, however actual use is likely to
confront such a mixture. And this must include assertions about
third-party domains (which includes sub-domains).
I'm not sure what "restricted" means, but I suppose I'll find out when I
read your draft.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html