ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] making SSP useless in one short step

2007-12-05 15:01:32
On Wednesday 05 December 2007 13:46, Michael Thomas wrote:
[Who is apps-review, and why are they rejecting messages? If this is
  intended as an apps area review where only Dave gets to post, that's
  a problem.]

Dave Crocker wrote:
   o  A "Verifier" is the agent that verifies a message by checking the
      actual signature against the message itself and the public key
      published by the Alleged Signer.  The Verifier also looks up the
      Sender Signing Practices published by the domain of the Originator
      Address if the message is not correctly signed by the Alleged
      Originator.

Again:  SSP is now not restricted to unsigned messages.  It applies also
to a
potentially very large class of signed messages.  In effect, SSP now
appears
to attempting to emulate  SPF strictures of correlation among identity
fields.

   If SSP is going to have any utility whatsoever, it cannot be defeated
   by the mere act of signing a message from any random domain. Period.
   That would be completely and utterly useless, and a complete joke to
   create such a specification. When a domain says that it signs all of
   its mail, it means just that. It doesn't mean that maybe on every
   third thursday that some other domain might sign the mail. It means
   that the domain in question signs its own mail with its own
   signatures. That means that you have to know which domain a piece of
   mail is purporting to be from. The address chosen in the requirements
   in RFC5016 is the rfc2822.From address. This was not controversial.
   Why we're rehash that non-argument now is beyond me.

+1.  It's pretty obvious that it has to be this way.

Scott K
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html