Arvel Hathcock wrote:
Sorry, just starting this on a new thread:
We need clearer text in the SSP draft siting when a check is required and
when it isn't. Perhaps this language could clear it up some:
"Sender Signing Policy Checks MUST be based on the Originator Address and
are REQUIRED in the following situations:
a) all unsigned messages MUST perform a Sender Signing Policy Check
b) all signed messages in which there are no verifiable signatures MUST
perform a Sender Signing Policy Check
b) all signed messages which contain a verifiable signature in which the
domain of the signing entity is not the same as or a parent domain of the
Originator Address MUST perform a Sender Signing Policy Check
The second b) misses some situations where the originator and third
party happen to be in the same domain, and keys are at a finer level of
granularity than the domain.
With the granularity problem fixed, I think the wording that currently
exists is correct, but it should be clarified because there seems to be
a lot of confusion about this.
-Jim