On Jan 4, 2006, at 12:02 PM, Scott Kitterman wrote:
On 01/04/2006 14:20, Douglas Otis wrote:
SPF and SSP will have similar problems. With SPF, you have
pointed out the RFC1123 5.3.6(a) issue that may cause those
concerned with the resulting disappearance of messages to use the
'?' qualifier, which is fairly common.
This is completely contrary to my experience. Because I use shared
MTAs, almost all e-mails I send have an SPF NEUTRAL (?) result.
This is agreeing open-ended authorizations are not uncommon? SSP
also relies upon this open-ended method for similar reasons. For as
long as a domain has not become the target of abuse, why would there
be a problem? When used as an identifier, as purported by Sender-ID
for example, protection of one's email-address domain's reputation
relies more upon luck and not design. Moving closer to using
"closed" authorizations will likely also require adoption of the PRA
header selection algorithm or waiting for some rather major changes
to occur. : (
So, even if you start out with the premise the SSP is like SPF (I
don't think that's right either), nothing that follows in the
original e-mail is correct.
Are you suggesting the email-address domain owner providing the
authorization will never be held accountable for the type of
authorization they use? It is not surprising to see a strong desire
by providers to shift the burden of reputation onto the email-address
domain owner, but this is not fair for many reasons.
What protection does an "open-ended" authorization provide the
recipient? How could this be considered safe? Even assuming a
"Closed" authorization were used, this also relies upon the visual
examination of the email-address, which is often not shown to the
recipient. Is there an assumption that the MUA must be altered to
take advantage of the DKIM signature? If that is the case, why not
use recognition rather than authorizations, as this offers far
greater safety.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org