On Aug 11, 2006, at 1:31 AM, Stephen Farrell wrote:
Hector Santos wrote:
The Protocol MUST NOT be required to be invoked if a valid first
party signature (without the 's') is found.
...
The implemention can choose to look at the verification of first
or decide to do the SSP first. As long as the combined results
produces the same outcome, it should not matter how it is done.
Those are not in conflict. As I read it the requirement states that
an SSP lookup MUST NOT be REQUIRED (== is OPTIONAL) when a valid
first party signature is present.
I guess rephrasing it as follows might make you happier:
The Protocol MAY be invoked when a valid first party signature
is present.
[INFORMATIVE NOTE: The expectation is that most implementations
will not (always) invoke the protocol in this case.]
IMO those are equivalent, so I don't mind which gets used. Maybe
others prefer one over the other or don't agree about equivalence?
FPA = First Party Address
FPD = First Party Address Domain
FPS = First Party Signature
Clarify the definition of FPS and FPD.
This should be considered for the following reasons:
- Delegating domains or exchanging key/selectors on a large scale is
not practical.
- DKIM signatures, in combination with policy that lists domains
authoritative for a FPD, provide a practical means to confirm the
validity of the FPA. A policy listing authoritative domains allows
the FPA to be validated while the signing domain is outside the FPD.
FPA validation and appropriate annotations of a validated FPA
recognized and applied by an MUA, in conjunction with correspondence
or address book information, represents a protection scheme immune to
internationalization and look-alike exploits often used in phishing
gambits. This protection scheme does not require support by outside
services to be effective.
- The protection using FPA validation does not require policy to
disqualify message sources. A list of authoritative domains must be
considered to be separate of any assertion of exclusivity of
sources. This separability is a policy requirement. With this
separability and the FPA validation protective mode, other common
email services, such as mailing lists, are not impaired.
- An organization like the DAC, might certify which DKIM providers
adequately protect FPAs when the signing domain is not within the FPD.
- A policy listing authoritative domains can utilize wildcards as a
means to indicate whether subdomains are authoritative.
- A policy listing authoritative domains can also exclude a parent
domain as being authoritative.
This last point requires a clarification in the definition of FPS and
PFD. Not defining a parent domain as matching by default with that
of the authoritative list of domains will return some control to the
domain owner. The domain owner would not be fully dependent upon the
parent domain to limit their exposure to many types of breaches that
may occur within the parent domain. Excluding a parent domain match
as a reason for not obtaining policy would therefore improve security.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
