On Mar 11, 2008, at 11:47 AM, MH Michael Hammer (5304) wrote:
As the person who originally threw out the suggestion of ADSP on the
list (only half seriously), I agree with Pete. The author does not
sign
and the author does not set the policy. It is the domain that is
signing
(by virtue of publishing the DNS records, even if the author happens
to
sign at the MUA/MSA) and the domain which is expressing the policy.
Agreed. Sloppy terminology has lead to incompatible compliance
requirements involving restrictions on use of local-part identities.
The signing domain MUST decide whether the message is compliant with
their policies BEFORE signing the message. Verifiers should not
attempt to second guess whether a domain's signature means the message
is compliant with their policy or not!
Reliance upon a signing domain's stewardship MUST NOT occur when the
message is signed using a restricted key (intended for untrustworthy
individuals or systems) that also includes an identity not found
within the From header. Whether or not the domain also publishes
policy SHOULD NOT affect how these restricted key messages should be
treated. Such messages should not benefit from the reputation of the
domain, but might benefit from the reputation of the identity,
although such benefits are likely only appreciated by individual
recipients.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html