Douglas Otis wrote:
On Jul 27, 2006, at 3:40 PM, Jim Fenton wrote:
I have a somewhat less tangible concern, too. If example.com
publishes an SSP record saying that some mail provider is an
authorized sender, and there is an abuse problem, will example.com
feel the same responsibility for the use of their address as if the
message had been signed directly "by" their domain? They may not,
and I view any spreading of the responsibility to be undesirable.
Regardless of the OA, spam will reflect poorly upon the signing
domain. Reports of abuse and expectations of who will resolve an
abuse issue always falls to the signing domain. There will not be
any "spreading" of responsibility. There is no means to know whether
the OA is even valid! The identity of the OA depends upon the
assertion made by the signing domain.
"Spreading" was perhaps not the right word to use. But the signature is
now coming from a different place, so whom it reflects poorly upon is
now changing. That makes it a fundamentally different thing than key
delegation. Allowing a domain to delegate the ability to sign their
mail and not holding the delegating domain responsible at all seems
undesirable in that it doesn't discourage domains from doing business
with dubious mailing services.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html