On Monday 31 July 2006 21:22, John Levine wrote: > >I think this is the key issue then and we ought to focus on it. In > >my view almost the entire point of a signing policy is constraining > >whose signatures are considere authorized by the domain owner. > > I'm assuming that when you say authorized, you mean authoritative. > (English definitely has its shortcomings.)
I meant authorized, as I think the SSP concept is about authorization. I can see where authoritative fits better as I wrote it. I'm not sure there is a distinction between the two worth arguing about. > > A few scenarios: > > Message from domain A, signed by A; does SSP matter at all? > There needs to be a design decision made. Is it better to have a default policy where this case is authorized and no SSP lookup is required or is it better to have no assumptions made and lookup SSP in all cases. I think this decision is an optimization decision that can be made late in the game. Off the top of my head, I can't see why we would need an explicit SSP for this unless it is for completeness sake. Completeness is not such a bad thing. > Message from A, signed by B; A's SSP says B signs all its mail I would say that A's SSP says B is an authorized signer for all its mail. It may or may not be the only signer. > Message from A, signed by A and B; does SSP matter? (I hope not.) In my book it's the same as A signed by A. The only concern I would have is if B added content, what to do about that, I'm not sure. I expect that's probably a question for receiver policy and unlikely to be standardized. > > Message from A, signed by C; SSP says nothing about C. Yes. Then how to treat this would be a question of what A's SSP says (is the list exclusive or not) and the receiver policy. I think that the matrix that Hector did back at (or possibly just before) the working group started was a good one. Scott K _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
