Jim Fenton wrote:
[Adding issue number to the subject so we know what we're talking about.]
Michael Thomas wrote:
mtcc.com SSP: p=strict;
From: mike(_at_)mtcc(_dot_)com
DKIM-Signature: i=foo(_at_)hacker(_dot_)com;
Subject: phish is yummy
If you're going to say that this signature qualifies as acceptable for
the above SSP record, then you have created a security hole that renders
SSP utterly useless.
With p=strict and no other Originator Signature present, the message is
indeed Suspicious. If the verifier is following the spec, it is always
Suspicious.
You may have intended to present the example with p=all. In this case,
the message may or may not be Suspicious, at the discretion of the
verifier. This is what is meant by "Verifier acceptable". If the
verifier knows something good about the signer (maybe it's ietf.org
instead of hacker.com), it might decide that the message is not
Suspicious. It's up to the verifier.
I actually meant it the way I wrote it because that's what Dave seems
to be saying an acceptable state of affairs for either strict or all. My
point is that it not acceptable for SSP qua SSP, though a receiver can
decide
to trust hacker.com's signature in *both* cases and there's nothing that
we can or should do about that.
Which is a long winded version of that third party signatures are completely
orthogonal to SSP. "All" should just mean "I sign all of my mail". No
more, no less.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html