----- Original Message ----- From: "John R Levine" <[EMAIL PROTECTED]> Subject: Re: [ietf-dkim] Attempted summary, SSP again
>>> I'm increasingly getting the impression that we don't >>> really understand the semantics of SSP. > > > Here is the current proposed policies: ... > > > o=! EXCLUSIVE (signature required, no 3rd party) > > Well, OK. if a message has both a signature from the From: domain and > one from someone else, does that pass? Why or why not? For the EXCLUSIVE policy? Following SSP, it would be a REJECT because the policy says no 3PS should exist. If it does, then it should be given the evil eye. > I'm not proposing we solve this here, just that we note that SSP > is a can of worms that we must carefully keep out of the path of > the basic signature work. I understand what you are saying, but it is what it is. That is what the DKIM/SSP drafts defines. It is already "solved" per se. All I am showed are the effective boundary conditions. The protocol is well defined and the only way to get maximum security benefits is to make sure are parties consistently follow it. Any deviation from it and the protocol breaks down with loop holes. I think its doable and both logical and technical merits. Whether its feasible, practical to have both signer and verifier policy verification, that's another issue. But that is what is required to make what is proposed work. It is up to us to decide if DKIM/SSP is ok. But if we are going with this stuff, following SSP is the only way we can make any sense of the signatures. Anyone can sign anything. But are you authorize to sign it? In my view, without SSP, the only signature policy is a EXCLUSIVE one. -- Hector Santos, Santronics Software, Inc. http://www.santronics.com _______________________________________________ ietf-dkim mailing list http://dkim.org
