On August 17, 2005 at 09:03, Dave Crocker wrote: > In fact the main reason that I question the need to have most/any of SSP --in > > the *first* round of standardization -- is that there is quite a bit of utili > ty > in exactly the scenario you describe: A message arrives with a signature. > *ANY* signature. There is quite a bit of useful information derived from > validating that signature, or having the signature fail validation.
Huh. You seemed to be supporting the route I was advocating of define a basic signature algorithm and then define applications on top of that. Anyway, a signature itself has no real value. Now some value is implied depending how keys are managed. Since (I'm guessing) you are quietly inferring that keys are retrieved from DNS, then some semantics to the signature are being defined. It is these semantics that provide value, key retrieval provides little go on from a verification perspective. Without having well-defined semantics and bindings for a signature, a signature has no value at the application level. > There is *MORE* useful information if the validator can know that the signatu > re > ID is "authorized" by the rfc2822.From domain administrator, but that > information is not essential for creating an initial base of utility. Would you please elaborate more on what you consider to be the "initial base of utility"? --ewh _______________________________________________ ietf-dkim mailing list http://dkim.org
