[ietf-dkim] making SSP useless in one short step
ietf-dkim at kitterman.com
Wed Dec 5 13:49:11 PST 2007
On Wednesday 05 December 2007 13:46, Michael Thomas wrote:
> [Who is apps-review, and why are they rejecting messages? If this is
> intended as an apps area review where only Dave gets to post, that's
> a problem.]
> Dave Crocker wrote:
> >> o A "Verifier" is the agent that verifies a message by checking the
> >> actual signature against the message itself and the public key
> >> published by the Alleged Signer. The Verifier also looks up the
> >> Sender Signing Practices published by the domain of the Originator
> >> Address if the message is not correctly signed by the Alleged
> >> Originator.
> > Again: SSP is now not restricted to unsigned messages. It applies also
> > to a
> > potentially very large class of signed messages. In effect, SSP now
> > appears
> > to attempting to emulate SPF strictures of correlation among identity
> > fields.
> If SSP is going to have any utility whatsoever, it cannot be defeated
> by the mere act of signing a message from any random domain. Period.
> That would be completely and utterly useless, and a complete joke to
> create such a specification. When a domain says that it signs all of
> its mail, it means just that. It doesn't mean that maybe on every
> third thursday that some other domain might sign the mail. It means
> that the domain in question signs its own mail with its own
> signatures. That means that you have to know which domain a piece of
> mail is purporting to be from. The address chosen in the requirements
> in RFC5016 is the rfc2822.From address. This was not controversial.
> Why we're rehash that non-argument now is beyond me.
+1. It's pretty obvious that it has to be this way.
More information about the ietf-dkim