Douglas Otis wrote:
On Feb 1, 2008, at 2:58 PM, Jim Fenton wrote:
Douglas Otis wrote:
The ASP approach creates fewer corner cases. At least with the ASP
draft, any risk of misuse remains within the control of a domain to
rectify.
This last statement I don't understand. Can you give an example of
"misuse within the control of a domain" that is introduced by
matching the local-part?
A domain using RFC 4871 as defined might wish to clarify which entity
had been authenticated. Such authentication information would help
prevent intra-domain spoofing. SSP essentially prevents a single
signature from offering identity assurances when a message is being
redirected (Resent-From header) or being sent on behalf of (Sender
header) the From header. Is it really reasonable for an MTA to add
two signatures, one ambiguous and the other identity specific? An
additional signature is only needed because of the SSP definition for
a compliant Author's signature. There is enough information within a
signature added on-behalf-of (i=) of the Resent-From header for
compliance to be ascertained without also requiring an additional
ambiguous signature (no local-part).
SSP has no relationship with the Resent-From, Sender, and similar header
fields. Is the root issue here that you would like it to do so? If I
remember correctly, your draft proposes this, but I have seen no
consensus to deviate from the requirements in this way.
On the other hand, matching the local-part of i= (when it is present)
prevents a signature that may be associated with a Sender or Resent-From
address that happens to be in the same domain as the From address, from
being misinterpreted as an Author Signature when it's not.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html