On Dec 11, 2007, at 8:52 AM, Jim Fenton wrote:
Without placing a dependency on a reputation or accreditation
service (both of which are out of scope), it's not possible to
specify the circumstances under which an SSP query should be done
when a message is signed by other than the author domain.
Issue #1519 provides additional clarification. I think this meant
unsigned by the domain, and perhaps unsigned by an otherwise trusted
domain.
Even when a message is signed by the domain of the author (using an
unrestricted key), per the definition of Originator Signature, the
message will not have a valid signature.
If ietf.org were to make a "strict" assertion, this should only affect
ietf.org email-addresses that are NOT signed by the ietf.org _domain_.
A "strict" assertion should not affect messages representing a normal
communiqué initiated by the domain, nor should a "strict" assertion
change how message signing is defined in the base draft. In other
words this assertion should not require multiple signatures from the
same domain, or prevent the i= parameter from indicating which header
the message had been signed "on-behalf-of."
The "strict" assertion should mean the domain ALWAYS signs their
messages AND the domain attempts to avoid services that might corrupt
their signature.
The "strict" assertion should not mean that their domain's signature
is only valid when signed "on-behalf-of" the From header. (An
exception would be required only for restricted keys.)
A less restrictive view of "strict" empowers domains to decide which
messages are valid by simply adding their signature.
A less restrictive view of "strict" would not invalidate message
signing as defined in the base draft.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html