ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Re: ISSUE 1521 -- Limit the application of SSP to unsigned messages

2008-01-24 16:09:54
Arvel Hathcock:
 > No worries. The proposed change is to focus the benefits that SSP
 > can provide in scenarios as outlined above, not to discourage the
 > deployment of SSP.

Could there be broader agreement on an SSP specification that lays out
how to do an SSP lookup but doesn't rigidly mandate where to look or
when to look?  Instead, the spec would lay out several scenarios as
examples; chief amongst those being when signatures do not match the
From: domain?

I have been thinking along those lines for the past week or so,
recognizing that DKIM and SSP results will likely be used together
with other data points that may get a higher or lower weight
depending on receiver preferences.

As you recognize, the easiest scenarios are the ones with "valid
first-hand signature" and "no valid signature". In the former case,
the DKIM signature provides a data point, in the latter the case, SSP.

The scenario with "valid third-party signature" provides two data
points, one from the DKIM signature and one from SSP. Which of the
two gets more authority is something that IMHO only the receiver
can decide; just like the receiver decides on their weight relative
to any other data points.

This does not change fundamentally when there are more than one
author. One reasonable approach seems to iterate over the list, up
to some sane upper bound.

        Wietse

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>