[ietf-dkim] SSP requirements
johnl at iecc.com
Fri Aug 4 20:40:58 PDT 2006
>I can't gather requirements if I can't make any sense of what you're saying.
That's a reasonable concern.
The fog around SSP is so opaque that I'm really wondering if it
wouldn't make more sense to punt and wait for people to do enough
experiments to understand what turns out to be useful.
The first open question is when a receipient would check a sender's
SSP. It seems pretty clear that if a message is self-signed, there's
no need to check, and if it's completely unsigned you do want to
check. But what if it's signed by a third party you trust? (That's
the mailing list scenario.) If a message is signed both by you and by
someone else I see no reason to treat that as anything other than a
self-signed message, but some people disagree for reasons that remain
Assuming we can work that out, I hear reasonable unanimity on "I
send no mail", that is, if you get an unsigned message purporting
to be from me, it's a fake so throw it away.
I hear considerably less consensus on "I do send mail but throw it
away if it's not signed." There's some sentiment for "if foo signs
it, then it's OK" although then we get into arguments about delegating
signing keys and the like. I hear no consensus at all about anything
else. There are lots of other true things one could say about one's
outgoing mail, but surprisingly little that's useful to recipients.
A spec with 1 2/3 bits of data doesn't impress me as worth writing.
More information about the ietf-dkim