Arvel,
I think it is reasonable for the sender to say 'here is how you can spot a
likely fake'. This statement is tantamount to 'be very suspicious' or even in
certain cases 'discard this message' since a fake is almost certainly spam.
The part that I think SPF folk failed to understand was that the sender can
never order the receiver to ACCEPT a message.
The second issue is the reason why it is very important to avoid suggesting
that the sender is in control. I dislike use of the term authorization for the
same purpose.
-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Arvel Hathcock
Sent: Thursday, September 07, 2006 1:30 PM
To: 'ietf-dkim(_at_)mipassoc(_dot_)org'
Subject: RE: [ietf-dkim] user level ssp
At base the former seems to move SSP from being a basic means of
checking for rogue mail, into recruiting the receive-side to be an
agent of the From-field domain owner, for enforcing potentially
complex operational rules.
IMO, "recruiting the receive-side to be an agent of the
From-field domain owner" probably goes too far. I certainly
don't feel I am an "agent" of the RFC2821.mail domain owner
when I do my SPF checks. Nor am I the servent of the PRA by
virtue of doing Sender-ID. Rather, those who employ SSP are
"agents" working on their own behalf in an attempt to utilize
another authenticity vector in order to provide the most
trustworthy mail service they can.
"for enforcing potentially complex operational rules" - SSP
is simply an gathering mechanism. Any complex operational
rules are at the discretion of the receiver post-SSP right?
Absent compelling demonstration of market need,
I believe that the need and duty to protect ones domain from
unauthorized use is (or should be) presuppositional and
therefore needs no demonstration. However, are you saying
that the market has no need for SSP? What constitutes
"compelling" and are we qualified to determine that in the IETF?
why are we considering something that, to my knowledge, has no
experiential base for the scale and complexity of the open Internet?
SPF provides, at least partially, the experiential base for
something like SSP doesn't it? It is deployed widely, is DNS
based, and is more complex than SSP. Yet the market seems to
have embraced it.
--
Arvel
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html