----- Original Message ----- From: "Jim Fenton" <[EMAIL PROTECTED]> To: "william(at)elan.net" <[EMAIL PROTECTED]>
>> So if message has Resent-From field would SSP check be done >> against From or Resent-From or both? > From. Always From, unless there is a valid signature where the > signing address matches the From address, in which case no SSP > check is required. Said another way, only for 1st party valid signatures, a policy check is not required. The reasoning has been: To exploit the 1st party key, is to exploit the policy record as well since the commonality is the domain name, hence same DNS storage. So if the key was exploited unbeknowst to the verifier, the policy record is more than likely exploited as well. The exploited key will be authorized by the exploited policy. However, policy controls can be added against 3rd party signatures. The 3rd party threat exploit is when 3rd party validated signings is not an authorized nor an expected practice by the originating and responsible domain. The original domain is not exploited in this case. -- Hector Santos, Santronics Software, Inc. http://www.santronics.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
