*sigh*
As Wiestse recently said, much of this discussion has been gone over
many times and already archived. From what I can tell, he seems to
think this all implies that the usefulness of SSP has already been
discussed and dismissed, and is wondering why these points are being
raised again. I see just the opposite, I see it as having been
discussed and understood where it can be useful and am wondering why
these points are being raised again.
Several others have cast doubt on the usefulness of SSP because it
doesn't solve the phishing problems, especially the look-alike domain
stuff. I see this as being a red-herring. SSP is not designed to
solve the phishing problem.
Sender Signing Practices is designed to tell you about the sender's
signing practices. The sender isn't telling you about whether the
they are good or bad. They are not offering accreditation or vouching
services for them. They are telling you what they do and do not do.
If a sender says that they sign all their email, and you receive an
email that is not signed, you can tell that this email is suspicious.
You don't need to know whether the sender is a good actor or a bad
actor. You don't need to query any trust system. You know that this
email does not conform to what the sender says their practices are.
Due to known situations that break signatures, you can not be
absolutely certain that an email that arrives without a valid
signature but with a SSP that says "I sign all email" isn't
legitimate. As a receiver, you may be able to use additional
information that you know, but the sender doesn't know, to help
resolve this situation. For example, I know that dkim.org sends a lot
of email that is both legitimate and breaks signatures.
If a sender says that they do not send email, and you as a reciever
find an email with their domain in the 2821.From:, you can not only
tell that the email is suspicious, but that you can reject the email
with much less chance of creating a false positive.
If a sender says that they sign some email, then as a reciever, you
haven't learned anything. This isn't really useful per-se, but it is
needed to distinguish between the status-quo and other more useful
cases.
If the sender says that they sign all email, that they have taken
steps to make sure that they do not send email through known mungers,
and that you, as a receiver, can put the blame on any false positives
on the sender, then you can much more safely reject email without a
valid signature. Again, this is the sender saying something that the
receiver can not know by themselves. This is something useful for the
sender to say and for the receiver to hear.
DKIM, with or without SSP, does not solve the phishing problem, nor
the spam problem. DKIM, in conjunction with one or more reputation
systems, may help here, but this has little to do with SSP.
-wayne
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html