---- Original Message -----
From: "Dave Crocker" <dhc(_at_)dcrocker(_dot_)net>
In other words, the job of DKIM is to deliver a valid identity
to an assessment mechanism.
To me, SSP is an protocol assessment mechanism. I view it as an assessment
of the proper and expected protocol usage and consistency.
But even then, don't you think this changes or alters the goal of what's
describe in the DKIM-BASE pending standard?
The ultimate goal of this framework is to permit
a signing domain to assert responsibility for a message, thus
protecting message signer identity and the integrity of the messages
they convey while retaining the functionality of Internet email as it
is known today. Protection of email identity may assist in the
global control of "spam" and "phishing".
That "responsibility assertion" is an really important idea here especially
when we currently have allowance for just about anyone to sign on behalf of
the message author name along the path from point A to Z. Are we really
protecting in the OWNER represented by the messaging identity? Or are just
protecting the signer? If so then why are we allowing for a resigner to
break what could be a legitimate signed originally signed message?
To me, all DKIM-BASE does is protect the integrity of the message against
any tampering. It does not protect how that message was created, well, it
can if we want to throw in some "X-Mailer:" header in the signature hashing,
etc, but that isn't the point. DKIM-BASE is just attempting protect the
digital signature of the message. The tie-in to "authorship" or any other
important Mail System concept, is the hashing of these elements so that they
are not altered along the path.
How the assessment service decides to use different names
is a matter that falls under reputation and accreditation.
My reading of the charter says that is out of scope.
{Scratching head, pondering, so why is he bringing it up?}
I personally do not see R/A systems making a judgment on how a message is
done but rather that its coming from a vouched known source.
I go back to the Patrol Officer analogy:
A Patrol officer sees your Driver's license has expired or you left it at
home, and you got some good looking legs. The cop "might" just let you with
a warning this time around. A R/A can "save" its customers from mishaps.
But 99% of the times or lets just say it is expected police protocol and
practice for a traffic stop that if there is a problem with your Driver's
license; the photo, the sex, age, height, etc, it is simply not quite
consistent which what he is seeing in reality, at this point, there is
increase scrutiny and by Police Protocol and Practice he should radio the HQ
database (i.e., Reputation Service) to find out if there anything bad or new
to find out about you or the vehicle you are driving.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html