ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [ietf-dkim] user level ssp

2006-09-07 12:29:49
from [Hallam-Baker, Phillip] [Permanent Link] 
Arvel,

I think it is reasonable for the sender to say 'here is how you can spot a 
likely fake'. This statement is tantamount to 'be very suspicious' or even in 
certain cases 'discard this message' since a fake is almost certainly spam. 

The part that I think SPF folk failed to understand was that the sender can 
never order the receiver to ACCEPT a message. 

The second issue is the reason why it is very important to avoid suggesting 
that the sender is in control. I dislike use of the term authorization for the 
same purpose.



-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org 
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Arvel Hathcock
Sent: Thursday, September 07, 2006 1:30 PM
To: 'ietf-dkim(_at_)mipassoc(_dot_)org'
Subject: RE: [ietf-dkim] user level ssp


At base the former seems to move SSP from being a basic means of 
checking for rogue mail, into recruiting the receive-side to be an 
agent of the From-field domain owner, for enforcing potentially 
complex operational rules.


IMO, "recruiting the receive-side to be an agent of the 
From-field domain owner" probably goes too far.  I certainly 
don't feel I am an "agent" of the RFC2821.mail domain owner 
when I do my SPF checks.  Nor am I the servent of the PRA by 
virtue of doing Sender-ID.  Rather, those who employ SSP are 
"agents" working on their own behalf in an attempt to utilize 
another authenticity vector in order to provide the most 
trustworthy mail service they can.

"for enforcing potentially complex operational rules" - SSP 
is simply an gathering mechanism.  Any complex operational 
rules are at the discretion of the receiver post-SSP right?


Absent compelling demonstration of market need,


I believe that the need and duty to protect ones domain from 
unauthorized use is (or should be) presuppositional and 
therefore needs no demonstration.  However, are you saying 
that the market has no need for SSP?  What constitutes 
"compelling" and are we qualified to determine that in the IETF?


why are we considering something that, to my knowledge, has no 
experiential base for the scale and complexity of the open Internet?


SPF provides, at least partially, the experiential base for 
something like SSP doesn't it?  It is deployed widely, is DNS 
based, and is more complex than SSP.  Yet the market seems to 
have embraced it.

--
Arvel 




_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html




_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] user level ssp, Jon Callas
Next by Date:  RE: [ietf-dkim] user level ssp, Hallam-Baker, Phillip
Previous by Thread:  Re: [ietf-dkim] user level ssp, Dave Crocker
Next by Thread:  RE: [ietf-dkim] user level ssp, Hallam-Baker, Phillip
Indexes:  [Date] [Thread] [Top] [All Lists]