MX dot was (Re: [ietf-dkim] TXT wildcards SSP issues

[Douglas Otis]

On Jun 8, 2007, at 2:01 AM, Jon Callas wrote:

> It doesn't change any semantics at all. DKIM-BASE does recommend
> ignoring failures. But the whole point of SSP is to consider the case
> where we don't want to ignore failures. We want a missing/broken/etc.
> signature to have meaning.
>
> The receiver doesn't have to do anything. It can ignore all of DKIM.
> But if it doesn't want to, that's where SSP comes in.
>
> The hack I describe is merely setting up your DKIM parameters so that
> any signature on a message must be erroneous; the receiver then does
> whatever they want, including using SSP.

While that should be possible, it also does not provide an optimal  
construct.  Exclusions would be possible only as a result of  
processing a signature.  Providing a method to directly indicate  
whether a signature is valid based upon its domain can offer better  
protection from subsequent queries or the processing of signatures.   
This could also be extended by an authorization schemes where DKIM is  
only checked when it is likely to provide a valid result.

-Doug