Date: Fri, 18 Jan 2008 16:37:53 +0000
From: johnl(_at_)iecc(_dot_)com
To: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] ISSUE 1525 -- Clarification about posting by first
Author
CC: robert(_at_)barclayfamily(_dot_)com
Indeed. Does this mean you agree that SSP only applies to unsigned
messages? (Actual non-rhetorical question.)
I would agree here, except for one consideration. It makes it possible
to trivially bypass someone's policy by inserting a completely bogus
signature in all messages claiming to be from them. If anyone has a good
suggestion for how to tell the difference between a signature broken in
transit and one just made up ...
As far as DKIM is concerned, there is no difference between a broken
signature and no signature. A message that arrives with a bogus
signature is unsigned.
Sorry, I think I may have misunderstood your earlier point. When you say SSP
applies only to unsigned messages were you talking about excluding valid third
party signatures (I apologize if I misread that part of the email).
If you are talking about third party signatures I guess it comes down to what
you think the P in SSP stands for. If it is practices it is clear that I cannot
usefully say anything about anyone else's practices. If it is policy I would
say it is reasonable for a domain owner to be able to assert the policy that
noone else is allowed to sign messages on their behalf. Whether it is wise to
do so is really a matter for the domain ownder to decide for themselves looking
at their terms of service, how their users (if there are any) actually use
their domain, etc..
What a receiver does with this information is in my opinion out of scope for
this discussion. It is essentially just one more useful piece of information to
throw into the vast sea of information they already have available to help make
decisions. If they choose to pick a set of third parties who they trust
regardless of the originating domains assertion that would be up to them.
SImilarly if they want to pick a list of originating domains they are
completely unwilling to accept third party signatures for that is also up to
them. The policy of the originating domain may be of some help in deciding if
someone belongs in either of those categories. .
- Robert
R's,
John
_________________________________________________________________
Connect and share in new ways with Windows Live.
http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_012008
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html