[ietf-dkim] Re: 3rd party signing
Michael Thomas
mike at mtcc.com
Tue Aug 1 10:52:03 PDT 2006
John L wrote:
>> But suppose example.com is not a customer of isp.com but yet a message
>> from example.com has a valid signature from isp.com. Are you saying
>> that Y! should say that it believes it came from example.com, based on
>> the assertion by isp.com that it only signs third-party messages?
>
>
> We certainly seem to have a lot of ambiguity if not confusion about
> terminology.
>
> If a receiver is going to be looking up SSP data, is it going to look
> up the domain in a message's signature? In the From: line? In some
> PRA-ish function of various headers? All of the above? Some of the
> above in a fixed order? Some of the above in an
> implementation-dependent order?
The current requirement as I've captured it is that SSP in only about
RFC2822.From
(1st party) and what you do if there is not a valid signature on behalf
for From. At
least that what I've seen the most consensus for, and I frankly don't
understand any
other definition assuming someone's offered one up.
>
> Can an additional signature ever decrease a message's reputation? I
> would argue no.
>
> If a message has a valid signature from the same domain as the From:
> domain, can SSP tell you anything useful? If you looked up the SSP on
> such a message and it said "we send no mail", who do you believe?
> (Keep in mind that if the signature is valid, the same DNS that had
> the SSP also had the DKIM key.)
Good question -- does it raise to a protocol requirement or just a
design consideration
to provide an answer?
Mike
More information about the ietf-dkim
mailing list