Dave Crocker wrote:
2. Unsigned vs. Mismatched Signature
The original SSP specification applied only to unsigned messages. The
current
version includes mail that is signed but has different domains between the
DKIM i= attribute and the rfc2822.From field. Presumably, this new
capability
overrides whatever reputation is associated with the message signer.
This is hardly new. In fact, this train has long since left this
station as it's in rfc5016:
5.3:
2. SSP MUST provide a concise linkage between the [RFC 2822].From and
the identity in the DKIM i= tag, or its default if it is missing
in the signature. That is, SSP MUST precisely define the
semantics of what qualifies as a first party signature.
Refs: Problem Scenarios 1 and 2, Sections 3.1 and 3.2.
I don't know why this is being brought up again after it was discussed
and issue tracked for the requirements.
If a signer has a good reputation, then why is that not sufficient for
enabling delivery? In other words, with a signature of a domain with a
good
reputation, what threats is SSP trying to protect against?
SSP doesn't dictate outcome. Never has, never will.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html