[ietf-dkim] Re: ISSUE 1521 -- Limit the application of SSP to
wietse at porcupine.org
Thu Jan 24 15:04:24 PST 2008
> > No worries. The proposed change is to focus the benefits that SSP
> > can provide in scenarios as outlined above, not to discourage the
> > deployment of SSP.
> Could there be broader agreement on an SSP specification that lays out
> how to do an SSP lookup but doesn't rigidly mandate where to look or
> when to look? Instead, the spec would lay out several scenarios as
> examples; chief amongst those being when signatures do not match the
> From: domain?
I have been thinking along those lines for the past week or so,
recognizing that DKIM and SSP results will likely be used together
with other data points that may get a higher or lower weight
depending on receiver preferences.
As you recognize, the easiest scenarios are the ones with "valid
first-hand signature" and "no valid signature". In the former case,
the DKIM signature provides a data point, in the latter the case, SSP.
The scenario with "valid third-party signature" provides two data
points, one from the DKIM signature and one from SSP. Which of the
two gets more authority is something that IMHO only the receiver
can decide; just like the receiver decides on their weight relative
to any other data points.
This does not change fundamentally when there are more than one
author. One reasonable approach seems to iterate over the list, up
to some sane upper bound.
More information about the ietf-dkim