[ietf-dkim] making SSP useless in one short step

[Scott Kitterman]

On Wednesday 05 December 2007 13:46, Michael Thomas wrote:
> [Who is apps-review, and why are they rejecting messages? If this is
>   intended as an apps area review where only Dave gets to post, that's
>   a problem.]
>
> Dave Crocker wrote:
> >>    o  A "Verifier" is the agent that verifies a message by checking the
> >>       actual signature against the message itself and the public key
> >>       published by the Alleged Signer.  The Verifier also looks up the
> >>       Sender Signing Practices published by the domain of the Originator
> >>       Address if the message is not correctly signed by the Alleged
> >>       Originator.
> >
> > Again:  SSP is now not restricted to unsigned messages.  It applies also
> > to a
> > potentially very large class of signed messages.  In effect, SSP now
> > appears
> > to attempting to emulate  SPF strictures of correlation among identity
> > fields.
>
>    If SSP is going to have any utility whatsoever, it cannot be defeated
>    by the mere act of signing a message from any random domain. Period.
>    That would be completely and utterly useless, and a complete joke to
>    create such a specification. When a domain says that it signs all of
>    its mail, it means just that. It doesn't mean that maybe on every
>    third thursday that some other domain might sign the mail. It means
>    that the domain in question signs its own mail with its own
>    signatures. That means that you have to know which domain a piece of
>    mail is purporting to be from. The address chosen in the requirements
>    in RFC5016 is the rfc2822.From address. This was not controversial.
>    Why we're rehash that non-argument now is beyond me.

+1.  It's pretty obvious that it has to be this way.

Scott K