ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [ietf-dkim] SSP requirements

2006-08-04 21:20:08
from [Bill.Oxley] [Permanent Link] 
How does the post office do it? It receives mail from other countries
and determines what kind of stamps official franking etc to either
deliver or return to sender unopened. Part of that is a balance of
payment schedule but I imagine it is a mutual bi-lateral agreement that
determines this. A ruthless prosecution of people who purport to send
legitimately franked mail is also part of the solution.

DKIM is an electronic stamp, SSP (to me) appears to be the franking
system.
A bi-lateral agreement that implementers can agree that if the stamps
and the franks are okay, mail will be deemed semi acceptable except for
checking for criminal (spammish) activities.
Thanks,

Bill Oxley 
Messaging Engineer 
Cox Communications, Inc. 
Alpharetta GA 
404-847-6397 
bill(_dot_)oxley(_at_)cox(_dot_)com 


-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of John Levine
Sent: Friday, August 04, 2006 11:41 PM
To: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] SSP requirements


I can't gather requirements if I can't make any sense of what you're

saying.

That's a reasonable concern.

The fog around SSP is so opaque that I'm really wondering if it
wouldn't make more sense to punt and wait for people to do enough
experiments to understand what turns out to be useful.

The first open question is when a receipient would check a sender's
SSP.  It seems pretty clear that if a message is self-signed, there's
no need to check, and if it's completely unsigned you do want to
check.  But what if it's signed by a third party you trust?  (That's
the mailing list scenario.)  If a message is signed both by you and by
someone else I see no reason to treat that as anything other than a
self-signed message, but some people disagree for reasons that remain
unclear.

Assuming we can work that out, I hear reasonable unanimity on "I
send no mail", that is, if you get an unsigned message purporting
to be from me, it's a fake so throw it away.

I hear considerably less consensus on "I do send mail but throw it
away if it's not signed."  There's some sentiment for "if foo signs
it, then it's OK" although then we get into arguments about delegating
signing keys and the like.  I hear no consensus at all about anything
else.  There are lots of other true things one could say about one's
outgoing mail, but surprisingly little that's useful to recipients.

A spec with 1 2/3 bits of data doesn't impress me as worth writing.

R's,
John

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] SSP requirements, John Levine
Next by Date:  [ietf-dkim] punting into near-term standardization, Dave Crocker
Previous by Thread:  Re: [ietf-dkim] SSP requirements, John Levine
Next by Thread:  RE: [ietf-dkim] SSP requirements, John L
Indexes:  [Date] [Thread] [Top] [All Lists]