Steve Atkins wrote:
Actually, I think that's the LAST step. My hypothesis is that
different types of signers and/or verifiers (different use cases)
perceive different threats.
Well, without knowing what threats SSP is supposed to mitigate, it's
impossible to start analyzing how well it does so. So identifying the
threats certainly can't be the last step, and I can't actually think
of anything that comes before that.
Where would you start?
Dangit, Steve, we're agreeing again. I'm going to start by documenting
the many different-yet-overlapping use cases & related threats. The
only difference from your earlier statement is that I don't think we'll
ever have conesensus on The One True Threat Model; instead each
different-yet-overlapping user of DKIM & SSP will have
different-yet-overlapping concerns about each.
NOTE WELL: This list operates according to