[ietf-dkim] Are verifiers expected to query SSP on a successful verify?

[Scott Kitterman]

On Tue, 01 Aug 2006 15:05:07 -0700 Michael Thomas <mike at mtcc.com> wrote:
>Scott Kitterman wrote:

>>Yes.  I would also say that is explicitly not a requirement that this be 
>>done without breaking some existing e-mail functionailty.  I don't think 
>>it's doable otherwise.
>>
>>I expect that this is a choice that would only be taken by a small 
minority 
>>of domains that are:
>>
>>1.  Substantial phishing targets.
>>
>>2.  Willing to accept the collateral damage.
>>
>>I do think it  important to specify this type of approach.
>>  
>>
>I agree about the collateral damage part and it being acceptable for
>some audiences but what I'd really like to do is phrase these in terms
>of what the signer's practice/policy is instead of what the signer hopes
>the receiver might do.
>
>In particular, it seems that there are two different cases:
>
>1) I sign all of the mail from this domain, and I don't expect that the
>    places I send will suffer from transit damage
>2) I sign all of my mail but I may send to places that may incur transit
>    damage

I wonder how what the receiver would do would differ.

In either case as a receiver I would reject it at the border MTA and never 
let it into my network if the message was outside the scope of this kind of 
exclusive policy.

What I think the sender is trying to limit messages allegedly from their 
domain that receivers will accept.  I think the only difference between 
your two cases is the amount of collateral damage the sender is expecting.  
I see it as a difference of quantity, not kind.

I do agree that trying to phrase it in terms of what the sender is trying 
to achieve is a good idea.

Scott K