Hector Santos wrote:
----- Original Message -----
From: "Jim Fenton" <fenton(_at_)cisco(_dot_)com>
The key is the "on behalf of the Originator Address"
language. Since that isn't the case in the examples
we've been discussing an SSP check would apply.
This is correct. The SSP lookup can only be bypassed if a valid
signature corresponds to the Originator Address. Otherwise, it
MUST be done. The thought is that having a valid signature for
the Originator Address is a common case, so it optimizes for it.
Since the SSP lookup may be bypassed in some cases, it's
not a good place to publish other types of policy, such as what
types of key management the originating domain uses.
Jim, question.
Why isn't the SSP part of the selector key TXT record?
Hector,
In the absence of a signature, there's no selector name to use. If
there is a signature for the origination address which fails
verification but for which it's possible to retrieve the key record, I
suppose that putting the signing policy in key records as well would
save a lookup, but it would be a small savings. A policy change would
then require that all key records change as well, and that seems
burdensome and prone to inconsistency.
Does it make sense to have it as an override?
I'm not sure what you mean by an override.
-Jim