For the record, one minor correction for sloppy language.
Wietse
Wietse Venema:
Arvel Hathcock:
> No worries. The proposed change is to focus the benefits that SSP
> can provide in scenarios as outlined above, not to discourage the
> deployment of SSP.
Could there be broader agreement on an SSP specification that lays out
how to do an SSP lookup but doesn't rigidly mandate where to look or
when to look? Instead, the spec would lay out several scenarios as
examples; chief amongst those being when signatures do not match the
From: domain?
I have been thinking along those lines for the past week or so,
recognizing that DKIM and SSP results will likely be used together
with other data points that may get a higher or lower weight
depending on receiver preferences.
As you recognize, the easiest scenarios are the ones with "valid
first-hand signature" and "no valid signature". In the former case,
the DKIM signature provides a data point, in the latter the case, SSP.
The scenario with "valid third-party signature" provides two data
This should be: "valid third-party signature only"
points, one from the DKIM signature and one from SSP. Which of the
two gets more authority is something that IMHO only the receiver
can decide; just like the receiver decides on their weight relative
to any other data points.
This does not change fundamentally when there are more than one
author. One reasonable approach seems to iterate over the list, up
to some sane upper bound.
Wietse
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html