[ietf-dkim] Conflicts between -ssp-requirements and -ssp
Michael Thomas
mike at mtcc.com
Sun Sep 30 13:39:44 PDT 2007
Eric Allman wrote:
> It sounds like you are arguing that "all" should be "strict" and
> "strict" should be eliminated;
> as a corollary, no Third Party Signatures should be accepted under any
> circumstances. That's a valid argument, but it has nothing to do with
> whether the -ssp draft is accurate.
No. Strict seems consistent with the requirements. For "all", the
problem I'm
having is tying the statement "I sign everything" to any other statement,
including "I think that 3rd party signatures are groovy". They are not
inherently
linked, and the SSP draft shouldn't do that. I can very easily say "I
sign everything"
and have no opinion whatsoever about other kinds of signatures.
>
> I note however that -ssp-requirements doesn't seem to cover the Third
> Party Signature case at all. Section 2 defines "Third Party
> Signature" but then never uses the term. In fact, although the one
> line description of Problem Scenario 1 reads "Is All Mail Signed with
> DKIM?", and section 4.1 seems to cover the case of a Third Party
> Signature (at least, it doesn't mandate a First Party Signature),
> sections 2 and 5.3 point 3 define "DKIM Signing Complete" as requiring
> a First Party Signature. In short, it appears that -req doesn't
> permit third party signatures under any circumstances. I'm not sure
> this was the intent of the working group.
It doesn't permit 3rd party signatures for _SSP_ itself. That doesn't
say anything
about third party signatures in general which receivers are perfectly at
liberty to
use or not use as they see fit. I'm pretty sure we've been through this
ad nauseum
about third party signatures with SSP and that the consensus was that we
didn't
want to go there. Look at the archives about whether we needed
enumerated lists
of 3rd party signers for example -- that was rejected.
Mike
More information about the ietf-dkim
mailing list