I'm sorry, this all seems completely circular to me with
"Good Enough" being defined in terms of itself. I cannot
evaluate when to stop when I don't have metrics to judge
when to stop. My metrics have been fairly simple minded: the
vast majority of mail as received by the ultimate domain
which will deliver it to a message store better verify
correctly, and the signature must correlate in ways that can
be usefully reported to unsophisticated users.
Fine, so let's run with these. The first of these canont be achieved with the
present infrastructure unless protection is restricted to long hop situations,
doesn't protect the entire message, or both. This then exludes the ideal of
protecting the entire message end to end, which is exactly the goal some people
seem to be striving for, and in so doing letting the best be the enemy of what
you yourself are now saying is good enough.
I will also note that wide deployment is a necessary prerequisite to meet
the "majority of mail received has to verify" condition, so your metric
is in some ways little different from my own.
The second of these argues stringly that accreditation has to be part of the
work we do, because without it I see no way to perform the correlation you're
If you have a different set of metrics, please state them.
I have stated my metrics. I see nothing about them that's in any way circular,
so I guess this conversation is over.