-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of
Stuart
D. Gathman
Sent: woensdag 8 december 2004 22:33
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] Ignoring rejected mail?
The MAIL FROM signature is unique for every message. The recipient
can verify the MAIL FROM in the usual way, completely ignoring any
message digest. However, if the MAIL FROM is sent to a SES validation
server via the new UDP protocol, the server will respond with a
message digest for the message body if the MAIL FROM is otherwise
valid. The recipient can then compare the SES servers message digest
with what it computes - or just ignore it. There are various ways to
enable an SES server to encode the key needed to retreive the stored
message digest in the MAIL FROM - all hotly debated on ses-discuss.
However, it is transparent to the mail recipient, and it wouldn't
matter functionally if every sender did it differently.
The point is, the MAIL FROM can be validated "as is", similarly to
self-signed SRS. If the new SES protocol is supported by both sender
and recipient, a successful response from the UDP validation server
also gives you a digest to validate the message body and selected
2822 headers. The real purpose of the latter is to stop replay
attacks of the 2821 signature without limiting successful
validations. However, you get 2822 and message body authentication
for free when you do it that way.
Thank you for your explanation, Stuart.
I am not so optimistic with regard to the message-body remaining unaltered
in transit. But I will keep monitoring any and all SES activity, of
course. :)
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx