As long as we all remember that bad actors can get a domain, populate
dkim keys and ssp then send spam until they are noticed and shutdown.
Policy will be by the receiver that a message that fails dkim/ssp is
flagged for a closer examination than a message that passes both dkim
and ssp but all mail will continue to be scrutinized.
Thanks,
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
bill(_dot_)oxley(_at_)cox(_dot_)com
-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of John Levine
Sent: Monday, July 31, 2006 9:23 PM
To: ietf-dkim(_at_)mipassoc(_dot_)org
Cc: ietf-dkim(_at_)kitterman(_dot_)com
Subject: Re: [ietf-dkim] A few SSP axioms
I think this is the key issue then and we ought to focus on it. In
my view almost the entire point of a signing policy is constraining
whose signatures are considere authorized by the domain owner.
I'm assuming that when you say authorized, you mean authoritative.
(English definitely has its shortcomings.)
A few scenarios:
Message from domain A, signed by A; does SSP matter at all?
Message from A, signed by B; A's SSP says B signs all its mail
Message from A, signed by A and B; does SSP matter? (I hope not.)
Message from A, signed by C; SSP says nothing about C.
R's,
John
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html