Stephen Farrell wrote:
Jim Fenton wrote:
If there is consensus that this indeed isn't clear, we could easily add
verbiage to SSP stating that domains publishing SSP records other than
"unknown" MUST additionally ensure that they only sign messages
purporting to come from themselves when the address in the From: header
field is valid. That way, we're putting the additional burden on those
who publish SSP records but are not trying to modify the meaning of RFC
4871
I'd wonder how "purporting" and "valid" above would be
strictly defined.
Agree that my wording wasn't clear. Let me try again:
If you're publishing SSP other than "unknown",
and you're applying an Originator Signature (as defined in
-dkim-ssp section 2.8),
then you MUST ensure that the message was sent by an entity
authorized to use the Originator Address (as defined in -dkim-ssp
section 2.3) [i.e., that the message wasn't spoofed]
And for any such pair of definitions, I'd then wonder how
I'd check the "MUST" by looking at someone's code.
I see this as less of a coding (implementation) issue than one of
deployment. There are mechanisms like SMTP AUTH that are available for
use to allow a given domain to meet this requirement, or the signer
might just accept mail from a trusted webmail server that authenticates
its users.
Do we really want to go there in SSP? (Maybe guidance in
the overview would be better if we want to say anything
about this.)
I'll leave it up to the WG to decide whether we're splitting hairs
here. I'm just suggesting that if we do decide we want to go there,
here's how we might address the issue.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html