Jim Fenton:
Arvel Hathcock wrote:
I would take this further: remove all text that says when to apply
SSP. Instead, provide text that states the contribution that SSP
can make under different conditions: mail with valid first-party
signature, mail with valid third-party signature, and mail without
valid signature.
I mostly agree with Wietse's proposal. Yes, I'm aware that diverges
sharply from the current draft.
I could get behind Wietse's proposal also if it hadn't started with "I
would take this further." I'm concerned with the "this" he refers to
which encourages avoiding SSP completely in the presence of a
verifiable signature from just anybody whom-so-ever. I view that
notion as completely defeating SSP.
That's exactly what I was hoping wasn't being proposed.
No worries. The proposed change is to focus the benefits that SSP
can provide in scenarios as outlined above, not to discourage the
deployment of SSP.
One can do SSP lookup in all three scenarios, but the benefits will
differ.
If mail has only a valid third-party signature, then the receiver
can use both the signer's reputation AND the statement in SSP (AND
any number of other data points) to arrive at a conclusion on how
to dispose of/label/whatever the message.
If mail has no valid signature, then obviously the originator SSP
is directly relevant (together with any number of other data points).
And if mail has a valid first-party signature, SSP is pretty much
redundant.
I hope this clarifies things a little better than my previous terse
statement.
Wietse
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html