Michael Thomas wrote:
That may be a use (though pretty unlikely to me), but the use case
that I've
heard of is more aimed at securing things like
statements(_at_)bigbank(_dot_)com
without
having to say "I sign everything" for the entire domain which is
assumedly a
lot harder. The thing about this is that you can alternately set up a
record for
statements(_at_)accounts(_dot_)bigbank(_dot_)com or somesuch which would work
the same
way.
I've heard it expressed that that is problematic for some people, but
I frankly don't
remember why at this point. Hopefully somebody can remind me.
Suppose that, at the domain level, bigbank.com can't say it signs
everything but accounts.bigbank.com does. If someone received a spoofed
message from statements(_at_)bigbank(_dot_)com which didn't contain a valid
signature, the fact that it didn't come from the 'accounts' subdomain
might not be noticed.
I'm just stating the argument, not advocating user-level SSP. I think
the above problem is venturing too far down the slippery slope of trying
to solving a human-factors issue, especially considering the overhead
associated with user-level SSP queries.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html