At base the former seems to move SSP from being a basic means of
checking for rogue mail, into recruiting the receive-side to be an agent
of the From-field domain owner, for enforcing potentially complex
operational rules.
IMO, "recruiting the receive-side to be an agent of the From-field domain
owner" probably goes too far. I certainly don't feel I am an "agent" of the
RFC2821.mail domain owner when I do my SPF checks. Nor am I the servent of the
PRA by virtue of doing Sender-ID. Rather, those who employ SSP are "agents"
working on their own behalf in an attempt to utilize another authenticity
vector in order to provide the most trustworthy mail service they can.
"for enforcing potentially complex operational rules" - SSP is simply an
gathering mechanism. Any complex operational rules are at the discretion of
the receiver post-SSP right?
Absent compelling demonstration of market need,
I believe that the need and duty to protect ones domain from unauthorized use
is (or should be) presuppositional and therefore needs no demonstration.
However, are you saying that the market has no need for SSP? What constitutes
"compelling" and are we qualified to determine that in the IETF?
why are we considering something that, to my knowledge,
has no experiential base for the scale and complexity
of the open Internet?
SPF provides, at least partially, the experiential base for something like SSP
doesn't it? It is deployed widely, is DNS based, and is more complex than SSP.
Yet the market seems to have embraced it.
--
Arvel
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html