Dave Crocker: > To explore this approach a bit further, I'm going to wonder about the supposed > need for an SSP check when a signature is present. > > If a signature uses a domain related to the author's domain, then we have > no SSP issue. The author's domain is used for assessment. No SSP query need > be > made.
[Plus a straightforward DNS-based delegation mechanism so that the author's ISP can use a UNIQUE signing domain that relates directly to the author's domain] > If a signature is not present, THEN an SSP "I sign everything" record > might > be useful (modulo the problem of surviving mailing list.) > > If a signature is present, but is not associated with the author's > domain, > then make the assessment based on the signing domain, not the author's domain. > Again, no SSP query is needed. > > OK. Start shooting... I like this. This is very close to what I want: signed mail that speaks for itself, whether it's first-party or third-party signed. No batteries required. Wietse _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html