I really don't like paragraph two of the introduction:
Once the attesting party or parties have been established, the
recipient may evaluate the message in the context of additional
information such as locally-maintained whitelists, shared reputation
services, and/or third-party accreditation. The description of these
mechanisms is outside the scope of this effort. By applying a
signature, a good player enables a verifier to associate a positive
reputation with the message, in hopes that it will receive
preferential treatment by the recipient.
If the A/R issue is out of scope, then there is no need to refer. This
introduction has laid the groundwork as to HOW one may deem what is good
or bad - reputation.
Yet, the intro lacks any introduction of SSP which the currently the
primary mechanism to establish the assurances of the protocol as it as
discussed throughout the document as well as any threats against it. It
is the basis for much of the threat discussions, yet there is no
reference or introduction to SSP as an essential part of the protection
scheme used to address threats.
Instead, we have what is suppose to be an "out of scope" A/R discussion
throughout the document.
The truth is, it is not out of scope. A/R discussions is found
throughout the entire document as the an essential idea, technology or
what have to resolved many of the issues.
We even have a TOC index for Reputation but not SSP. Go figure.
Doesn't make sense. What do you guys want?
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
_______________________________________________
ietf-dkim mailing list
http://dkim.org