----- Original Message -----
From: "Jim Fenton" <fenton(_at_)cisco(_dot_)com>
The key is the "on behalf of the Originator Address"
language. Since that isn't the case in the examples
we've been discussing an SSP check would apply.
This is correct. The SSP lookup can only be bypassed if a valid
signature corresponds to the Originator Address. Otherwise, it
MUST be done. The thought is that having a valid signature for
the Originator Address is a common case, so it optimizes for it.
Since the SSP lookup may be bypassed in some cases, it's
not a good place to publish other types of policy, such as what
types of key management the originating domain uses.
Jim, question.
Why isn't the SSP part of the selector key TXT record?
Does it make sense to have it as an override?
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com