[ietf-dkim] Re: ISSUE 1521 -- Limit the application of SSP to unsigned messages

Charles Lindsey chl at clerew.man.ac.uk
Fri Jan 25 07:18:17 PST 2008 

On Thu, 24 Jan 2008 16:18:32 -0000, Dave Crocker <dhc at dcrocker.net> wrote:

> Stephen Farrell wrote:
>>>> 1521    Limit the application of SSP to unsigned messages    new dkim
>>>> Nobody    0 dhc at dcrocker.net    9 days ago        9 days ago    0
>>>
>>>> Proposal: REJECT, but some wording changes may be needed for the next  
>>>> rev, thread is [4] I mainly saw opposition to the change suggested in
>>>> the issue, and little support, but some text clarifying changes were
>>>> suggested (e.g. [5]). [4]
>>>> http://mipassoc.org/pipermail/ietf-dkim/2007q4/008424.html [5]
>>>> http://mipassoc.org/pipermail/ietf-dkim/2007q4/008467.html
>>
>>> Would you please explain the basis for assessing that this topic got  
>>> sufficient discussion and that there was rough consensus on it?
>>  See above "I mainly saw..."
>
>
> Summary of proposal:
>
>> All text that causes SSP to be applied to an already-signed message  
>> needs to be removed.
>

> I would like to ask folks with an opinion about this proposal to post an  
> explicit note stating support or opposition.  Some of the existing posts  
> were about substantive issues in the proposal, but did not clearly  
> indicate support or opposition.

-1 - mainly because the proposal is meaningless.

SSP is applied by verifiers close to the final recipient. We expect  
messages to be "already-signed" at the point, so you essentially seem to  
be saying "SSP is NEVER to be applied".

Even if "already-signed" is taken to mean "already-validly-signed", that  
still leaves open the question "has it been signed by the right people?",  
and answering that question is the whole point of SSP.

Even if all the From addresses have SSP policies "all" (in which case any  
valid signature is good enough) you still need to do the SSP lookup in  
order to establish that fact.

Because, if one of them has SSP=strict, and you fail to lookup the SSP,  
then you will let through messages that the strict-domain wanted to you  
reject.

So the proposal is tantamount to abolishing the 'strict' category  
entirely. Either that, or it is meaningless.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5

More information about the ietf-dkim mailing list