Re: DKIM Verification Algorithm

I think I missed the beginning of this thread somehow. I think thismatrix came from Hector; I rather like it because it frames thediscussion well:

I will draw the outcome table in text mode. View it in fixed pitch mode.

Table 1.0 - DKIM Verification States illustrates all possible
           outcomes for signature verifcation against SSP.

           +------------------------------------------------------+
           |            Sender Signing Policy Result              |
+-----------+----------------------------------------------+-------|
| result    |  WEAK  | NEUTRAL | STRONG  | EXCLU  | NEVER  | NONE  |
| verify    |   OPT  | OPT/3PS | REQ/3PS |  REQ   |        |       |
+-----------+--------+---------+---------+--------+--------+-------|
| NONE      | accept | accept  | reject  | reject | reject | accept|
|-----------+--------+---------+---------+--------+--------+-------|
| PASS      | accept | accept  | accept  | accept | reject | warn  |
|-----------+--------+---------+---------+--------+--------+-------|
| PASS 3PS  | reject | warn    | accept  | reject | reject | warn  |
|-----------+--------+---------+---------+--------+--------+-------|
| FAIL      | warn   | warn    | warn <.-+> warn  | reject | warn  |
|-----------+--------+---------+-------+-+--------+--------+-------|
| FAIL 3PS  | reject | warn    | warn <|-+> reject| reject | warn  |
+--------------------------------------+---------------------------+

Maybe I'm focusing on an optimization here, but I'm still trying to seeif we can avoid checking SSP when there is a valid originator signaturepresent. The primary case here that requires it is NEVER. In thatcase, the originating domain must have published some key records, butis asserting that it doesn't send any mail. This seems like a conflict,which could be resolved in either direction. I tend to think thathaving a valid signature is a stronger assertion than the SSP, so whynot fold NEVER into EXCLUSIVE?

Also, I think that a valid OA signature shouldn't result in a warning ifthere is no SSP published, which makes NONE the same as NEUTRAL, againfor the reason that the signature is a stronger statement than thepolicy. It also makes publication of policy optional.


-Jim

<Prev in Thread]	Current Thread	[Next in Thread>
DKIM Verification Algorithm, Hector Santos Re: DKIM Verification Algorithm, william(at)elan.net Re: DKIM Verification Algorithm, Hector Santos Re: DKIM Verification Algorithm, william(at)elan.net Re: DKIM Verification Algorithm, Hector Santos Re: DKIM Verification Algorithm, Jim Fenton <= RE: DKIM Verification Algorithm, Graham Finlayson Re: DKIM Verification Algorithm, Jim Fenton RE: DKIM Verification Algorithm, Graham Finlayson Re: DKIM Verification Algorithm, Jim Fenton

Previous by Date:	Re: wildcards, was Re: dkim technology?, wayne
Next by Date:	Re: ] Replay attacks and ISP business models, Tony Finch
Previous by Thread:	Re: DKIM Verification Algorithm, Hector Santos
Next by Thread:	RE: DKIM Verification Algorithm, Graham Finlayson
Indexes:	[Date] [Thread] [Top] [All Lists]