I think I missed the beginning of this thread somehow. I think this matrix came from Hector; I rather like it because it frames the discussion well:
I will draw the outcome table in text mode. View it in fixed pitch mode. Table 1.0 - DKIM Verification States illustrates all possible outcomes for signature verifcation against SSP. +------------------------------------------------------+ | Sender Signing Policy Result | +-----------+----------------------------------------------+-------| | result | WEAK | NEUTRAL | STRONG | EXCLU | NEVER | NONE | | verify | OPT | OPT/3PS | REQ/3PS | REQ | | | +-----------+--------+---------+---------+--------+--------+-------| | NONE | accept | accept | reject | reject | reject | accept| |-----------+--------+---------+---------+--------+--------+-------| | PASS | accept | accept | accept | accept | reject | warn | |-----------+--------+---------+---------+--------+--------+-------| | PASS 3PS | reject | warn | accept | reject | reject | warn | |-----------+--------+---------+---------+--------+--------+-------| | FAIL | warn | warn | warn <.-+> warn | reject | warn | |-----------+--------+---------+-------+-+--------+--------+-------| | FAIL 3PS | reject | warn | warn <|-+> reject| reject | warn | +--------------------------------------+---------------------------+
Maybe I'm focusing on an optimization here, but I'm still trying to see if we can avoid checking SSP when there is a valid originator signature present. The primary case here that requires it is NEVER. In that case, the originating domain must have published some key records, but is asserting that it doesn't send any mail. This seems like a conflict, which could be resolved in either direction. I tend to think that having a valid signature is a stronger assertion than the SSP, so why not fold NEVER into EXCLUSIVE?
Also, I think that a valid OA signature shouldn't result in a warning if there is no SSP published, which makes NONE the same as NEUTRAL, again for the reason that the signature is a stronger statement than the policy. It also makes publication of policy optional.
-Jim
<Prev in Thread] | Current Thread | [Next in Thread> |
---|---|---|
|
Previous by Date: | Re: wildcards, was Re: dkim technology?, wayne |
---|---|
Next by Date: | Re: ] Replay attacks and ISP business models, Tony Finch |
Previous by Thread: | Re: DKIM Verification Algorithm, Hector Santos |
Next by Thread: | RE: DKIM Verification Algorithm, Graham Finlayson |
Indexes: | [Date] [Thread] [Top] [All Lists] |