On Thu, Nov 09, 2006 at 12:33:49PM -0000, Charles Lindsey wrote:
<snip>
Many of them use their own domains, for which they could trivially
publish SSP data.
Which is where we need sites on which "reputations" can be queried. I
envisage these will operate rather like the present DNSBL blacklists. You
choose such a site that you trust, and then ask its advice on the action
you should take according to the signer, From address, etc. I would
suppose that phishers own domains would rapidly acquire a rather poor
reputation (and the advice should be to "delete all mail where the
signature succeeds, and even where it doesn't").
So what I'm about to state has been said by others before:
Reputation has to start as neutral or negative. One can not start out
with a good reputation. Phishers don't need their domains to be around
that long to make some money.
Starting with a negative reputation means legitimate small companies
will be penalized. A possible solution to that is accreditation.
However, I think a better way is to state a relationship between two
entities and allow the ISP to validate such a relationship. That isn't
DKIM though.
--
:: Jeff Macdonald | Principal Engineer, Messaging Technologies
:: e-Dialog | jmacdonald(_at_)e-dialog(_dot_)com
:: 131 Hartwell Ave. | Lexington, MA 02421
:: v: 781-372-1922 | f: 781-863-8118
:: www.e-dialog.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html