J.D. Falk wrote:
But this message isn't signed (and/or the signature is invalid, which
base says is the same thing.) How do I find out whether or not the
First Amalgamated Bank of Example thinks that they sign all of their
messages? That should be a simple, binary operation, right? I really
don't care about anything else the sender may want to assert.
Should that be in SSP?
Yes. It is a simple DNS query.
Should it be in something else?
No, not if its not a standard.
> Should I encourage all of the banks to use a non-standardized
> external mechanism while y'all argue?
No, not in my view, because exploiters will use that special YAHOO/BANK
non-standard process against other systems in yet another attempt to
mask the message as legitimate. In fact, in my technical opinion, you
might put the bank at risk by encouraging a non-standardized method.
NOTE WELL: This list operates according to