Earl Hood wrote:
On July 27, 2005 at 17:59, "Arvel Hathcock" wrote:
In the case of the example you gave joe(_dot_)user(_at_)x does not match
d=ispoofyou.com from the signature. Therefore an SSP is required
using the domain 'x' taken from joe(_dot_)user(_at_)x (the "Originator
Address").
In fact, this policy lookup is required any time the signing entity
does not match the domain of the From. The policy at domain 'x' will
specify that it does not allow "third-party signatures" and that's
the end of the problem right?
...
In the example, the i= is a sub-domain of d=, but the From is
of a different domain (and what is displayed by MUAs).
In this situation, section 4 of the draft states that
| Sender Signing Policy Checks MUST be based on the Originator Address.
| If the message contains a valid signature on behalf of the Originator
| Address no Sender Signing Policy Check need be performed: the verifier
| SHOULD NOT look up the Sender Signing Policy and the message SHOULD
| be considered non-Suspicious.
|
| Verifiers checking messages that do not have at least one valid
| signature MUST perform a Sender Signing Policy Check by doing a DNS
| query to the domain specified by the Originator Address.
If the policy specified by the domain of the "From:" address states
that third party signatures were not to be accepted, then the signature
would not verify.
--
James