ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] user level ssp

2006-09-09 12:15:37
from [wayne] [Permanent Link] 
In <B73EF753-E06A-4AFA-A4EE-89FB305CBB5A(_at_)blighty(_dot_)com> Steve Atkins 
<steve(_at_)blighty(_dot_)com> writes:


I guess that the real question is  what's the difference between "I  
always sign"
and "I always sign and I get phished"?

The impression I'm getting, from several people, is that "I always  
sign" is already
being written off as likely to be ignored by recipients and that  
there needs to be
a "No, I really mean it!" modifier?



I've said before that I can see some value, not a huge amount, but
certain some value, in distinguishing between: 

1) I always sign, but I also know that I send email through relays that
   will break the signature.

and

2) I always sign, and I also do not knowingly send email through relays
   that break signatures.


Case 1) is for folks that let their users send email to mailing lists
and such, while case 2) is for folks that are really worried about
phishing and such and are willing to take the necessary steps to that
email with missing/broken signatures can be rejected.


Thinking about it more, I've decided that maybe the clearer
distinction is:


1) I always sign, but I also know that I send email through relays
   that will break the signature.  If you, as a receiver, reject
   legitimate email due to broken/missing signatures, it is your fault
   and I'll place the blame on you.


2) I always sign, but I also do not knowingly send email through
   relays that break signatures.  If you, as a receiver, reject
   legitimate email due to broken/missing signatures, it is my problem
   and you can place the blame on me.


In theory, a receiver of case 1) signing can use the "I sign all"
information, along with other information the receiver knows about the
source of the email (is it a known mailing list? etc.) to make a
reasonable guess about whether a broken/missing signature is a good
spam indicator or not.

In theory, a sender of case 2) can take steps, including no longer
sending email to certain users/domains/relays, to make sure that they
can continue to advertise this stricter sending policy.


-wayne
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] user level ssp, Wietse Venema
Next by Date:  Re: [ietf-dkim] SSP = FAILURE DETECTION, Hector Santos
Previous by Thread:  [ietf-dkim] Sign it all, publish the policy, and trust the policy., Thomas A. Fine
Next by Thread:  Re: [ietf-dkim] user level ssp, Wietse Venema
Indexes:  [Date] [Thread] [Top] [All Lists]