Dave Crocker:
> To explore this approach a bit further, I'm going to wonder about the supposed
> need for an SSP check when a signature is present.
>
> If a signature uses a domain related to the author's domain, then we have
> no SSP issue. The author's domain is used for assessment. No SSP query need
> be
> made.
[Plus a straightforward DNS-based delegation mechanism so that the
author's ISP can use a UNIQUE signing domain that relates directly
to the author's domain]
> If a signature is not present, THEN an SSP "I sign everything" record
> might
> be useful (modulo the problem of surviving mailing list.)
>
> If a signature is present, but is not associated with the author's
> domain,
> then make the assessment based on the signing domain, not the author's domain.
> Again, no SSP query is needed.
>
> OK. Start shooting...
I like this. This is very close to what I want: signed mail that
speaks for itself, whether it's first-party or third-party signed.
No batteries required.
Wietse
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
