[ietf-dkim] 1358 ssp-requirements-01 // DKIM Strict definition
dotis at mail-abuse.org
Mon Oct 9 11:13:04 PDT 2006
Prior to the policy requirements, there were several supporting this
concept of "strict". There is a need for more than just an assertion
that "all messages are signed." Making an assertion that "all
messages are signed" might mean only messages with invalid signatures
should be introduced by services known to damage signatures. This
would be an incorrect assumption when dealing with commerce related
transactions from a heavily phished domains. The need for this added
assertion is already found in Eric's latest SSP draft.
Two assertions are required when all messages are initially signed.
Otherwise the partial information of "all messages are signed" may
induce improper handling. This would be especially true when sources
known to damage signatures are used to enable exceptions.
To avoid improper handling two assertions must be allowed:
1 ) All messages are signed.
2 ) Services that might damage the signature are avoided.
More information about the ietf-dkim