2. Unsigned vs. Mismatched Signature
The original SSP specification applied only to unsigned messages. The current
version includes mail that is signed but has different domains between the
DKIM i= attribute and the rfc2822.From field. Presumably, this new capability
overrides whatever reputation is associated with the message signer.
If a signer has a good reputation, then why is that not sufficient for
enabling delivery? In other words, with a signature of a domain with a good
reputation, what threats is SSP trying to protect against?
To the extent that the above is not sufficiently clear:
All text that causes SSP to be applied to an already-signed message
needs to be removed.
A DKIM signature is a statement of responsibility. When a signature is
present, an organization has taken responsibility for the message.
Reconciling an existing signature against another identity field, such as
rfc2822.From moves the use of DKIM from statements about simple transit
responsibility into assertions of content legitimacy and/or accuracy. This is
out of scope for DKIM.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html