[ietf-dkim] Re: ISSUE 1521 -- Limit the application of SSP to
unsigned messages
Wietse Venema
wietse at porcupine.org
Thu Jan 24 12:44:47 PST 2008
Jim Fenton:
> Arvel Hathcock wrote:
> >>> I would take this further: remove all text that says when to apply
> >>> SSP. Instead, provide text that states the contribution that SSP
> >>> can make under different conditions: mail with valid first-party
> >>> signature, mail with valid third-party signature, and mail without
> >>> valid signature.
> >>
> >> I mostly agree with Wietse's proposal. Yes, I'm aware that diverges
> >> sharply from the current draft.
> >
> > I could get behind Wietse's proposal also if it hadn't started with "I
> > would take this further." I'm concerned with the "this" he refers to
> > which encourages avoiding SSP completely in the presence of a
> > verifiable signature from just anybody whom-so-ever. I view that
> > notion as completely defeating SSP.
>
> That's exactly what I was hoping wasn't being proposed.
No worries. The proposed change is to focus the benefits that SSP
can provide in scenarios as outlined above, not to discourage the
deployment of SSP.
One can do SSP lookup in all three scenarios, but the benefits will
differ.
If mail has only a valid third-party signature, then the receiver
can use both the signer's reputation AND the statement in SSP (AND
any number of other data points) to arrive at a conclusion on how
to dispose of/label/whatever the message.
If mail has no valid signature, then obviously the originator SSP
is directly relevant (together with any number of other data points).
And if mail has a valid first-party signature, SSP is pretty much
redundant.
I hope this clarifies things a little better than my previous terse
statement.
Wietse
More information about the ietf-dkim
mailing list