[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of John L
It's true, I don't, and I've been trying to figure out why
not. It finally came to me: senders are not the right people
to judge their own importance.
True but senders can state whether:
1) They have been accredited as a financial institution
2) They have been a target of phishing attacks
And most importantly
3) Whether they sign all their outgoing email or not.
When I think of SSP records saying dump mail if it's not
signed, I see a bunch of tiny gorillas*, beating their teensy
chests and saying in high squeaky voices, "Beware, oh
Internet, of the Scourge of Criminals attempting to forge the
image of my Inestimable Personage, and do not DARE to be
fooled by these Base Mockeries of Communication!" The only
reasonable response from everyone else is somewhere between
"Huh?" and "Get real."
The fact that a few chimps might try to use the mechanism does not mean that
there are no gorillas with legitimate reasons to do so.
All that policy does is to describe the sender's outgoing email configuration
and possibly provide some description of the sender.
This has almost nothing to do with what a third party might do in this area. It
makes little sense to attach accreditation records to the domain, they should
attach to the key record.
Speaking as the Principal Scientist of the largest Internet accreditation
provider (larger than the members of DAC put together) I do not see a reason
why third party accreditation should be preferred over self-accreditation for
the negative accreditations in this particular instance.
If someone is saying something positive about themselves then that is something
that you probably want to have a third party there to provide an independent
view. If on the other hand someone is making a statement of the form 'I am not
trustworthy' or 'Anyone who fails to authenticate as me is not me' then self
accreditation works fine and is a necessary compliment to giving the TTP
asserted positive assertions value.
If the ABA or the FDIC published a list of domains used by
member banks to send signed transactional mail, I would find
that really useful. A list of people who think they are as
threatened by forgery as those banks is useless other than
for entertainment value.
That is a parochial view. The ABA is not an international organization and
shows no inclination to repeat the routing number role.
Unless you can provide an active member of these organizations who says that
they want to do this role the suggestion is futile. My interactions with
bankers through the APWG strongly suggests that they do not want this role.
So that's the problem with SSP. Whatever your policy is,
unless you're someone I already have reason to be interested
in, I don't care.
While it is true that I may wish to obtain additional information before
acting, a mechanism that signals to me that there may be such information to
find is still useful.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html