On Wednesday 05 December 2007 13:46, Michael Thomas wrote: > [Who is apps-review, and why are they rejecting messages? If this is > intended as an apps area review where only Dave gets to post, that's > a problem.] > > Dave Crocker wrote: > >> o A "Verifier" is the agent that verifies a message by checking the > >> actual signature against the message itself and the public key > >> published by the Alleged Signer. The Verifier also looks up the > >> Sender Signing Practices published by the domain of the Originator > >> Address if the message is not correctly signed by the Alleged > >> Originator. > > > > Again: SSP is now not restricted to unsigned messages. It applies also > > to a > > potentially very large class of signed messages. In effect, SSP now > > appears > > to attempting to emulate SPF strictures of correlation among identity > > fields. > > If SSP is going to have any utility whatsoever, it cannot be defeated > by the mere act of signing a message from any random domain. Period. > That would be completely and utterly useless, and a complete joke to > create such a specification. When a domain says that it signs all of > its mail, it means just that. It doesn't mean that maybe on every > third thursday that some other domain might sign the mail. It means > that the domain in question signs its own mail with its own > signatures. That means that you have to know which domain a piece of > mail is purporting to be from. The address chosen in the requirements > in RFC5016 is the rfc2822.From address. This was not controversial. > Why we're rehash that non-argument now is beyond me.
+1. It's pretty obvious that it has to be this way. Scott K _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
