Charles,
Are you not making the assumption that implementaors may check SSP before
checking dkim? A quick SSP lookup first returning a strict against a third
party dkim signed mail may be processed differently than a SSP relaxed
Thanks,
Bill Oxley
Messaging Engineer
Cox Communications
-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Charles Lindsey
Sent: Friday, January 25, 2008 10:18 AM
To: DKIM
Subject: Re: [ietf-dkim] Re: ISSUE 1521 -- Limit the application of SSP
tounsigned messages
On Thu, 24 Jan 2008 16:18:32 -0000, Dave Crocker <dhc(_at_)dcrocker(_dot_)net>
wrote:
Stephen Farrell wrote:
1521 Limit the application of SSP to unsigned messages new dkim
Nobody 0 dhc(_at_)dcrocker(_dot_)net 9 days ago 9 days ago >>>> 0
Proposal: REJECT, but some wording changes may be needed for the next
rev, thread is [4] I mainly saw opposition to the change suggested in
the issue, and little support, but some text clarifying changes were
suggested (e.g. [5]). [4]
http://mipassoc.org/pipermail/ietf-dkim/2007q4/008424.html [5]
http://mipassoc.org/pipermail/ietf-dkim/2007q4/008467.html
Would you please explain the basis for assessing that this topic got
sufficient discussion and that there was rough consensus on it?
See above "I mainly saw..."
Summary of proposal:
All text that causes SSP to be applied to an already-signed message
needs to be removed.
I would like to ask folks with an opinion about this proposal to post an
explicit note stating support or opposition. Some of the existing posts
were about substantive issues in the proposal, but did not clearly
indicate support or opposition.
-1 - mainly because the proposal is meaningless.
SSP is applied by verifiers close to the final recipient. We expect
messages to be "already-signed" at the point, so you essentially seem to
be saying "SSP is NEVER to be applied".
Even if "already-signed" is taken to mean "already-validly-signed", that
still leaves open the question "has it been signed by the right people?",
and answering that question is the whole point of SSP.
Even if all the From addresses have SSP policies "all" (in which case any
valid signature is good enough) you still need to do the SSP lookup in
order to establish that fact.
Because, if one of them has SSP=strict, and you fail to lookup the SSP,
then you will let through messages that the strict-domain wanted to you
reject.
So the proposal is tantamount to abolishing the 'strict' category
entirely. Either that, or it is meaningless.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html