On Wednesday 05 December 2007 13:46, Michael Thomas wrote:
[Who is apps-review, and why are they rejecting messages? If this is
intended as an apps area review where only Dave gets to post, that's
a problem.]
Dave Crocker wrote:
o A "Verifier" is the agent that verifies a message by checking the
actual signature against the message itself and the public key
published by the Alleged Signer. The Verifier also looks up the
Sender Signing Practices published by the domain of the Originator
Address if the message is not correctly signed by the Alleged
Originator.
Again: SSP is now not restricted to unsigned messages. It applies also
to a
potentially very large class of signed messages. In effect, SSP now
appears
to attempting to emulate SPF strictures of correlation among identity
fields.
If SSP is going to have any utility whatsoever, it cannot be defeated
by the mere act of signing a message from any random domain. Period.
That would be completely and utterly useless, and a complete joke to
create such a specification. When a domain says that it signs all of
its mail, it means just that. It doesn't mean that maybe on every
third thursday that some other domain might sign the mail. It means
that the domain in question signs its own mail with its own
signatures. That means that you have to know which domain a piece of
mail is purporting to be from. The address chosen in the requirements
in RFC5016 is the rfc2822.From address. This was not controversial.
Why we're rehash that non-argument now is beyond me.
+1. It's pretty obvious that it has to be this way.
Scott K
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html