J.D. Falk wrote:
Imagine, if you will, that I'm a big ISP with lots and lots and lots of
consumer type end users who prefer to stay clueless about the
intricacies of e-mail.
A message comes in which claims to be from the First Amalgamated Bank of
Example. An entirely separate, unrelated mechanism has already told me
that example.com really is the domain name used by the First Amalgamated
Bank of Example, and that they're a real bank with tellers and vaults
and bulletproof glass and all that fun stuff.
But this message isn't signed (and/or the signature is invalid, which
base says is the same thing.) How do I find out whether or not the
First Amalgamated Bank of Example thinks that they sign all of their
messages? That should be a simple, binary operation, right? I really
don't care about anything else the sender may want to assert.
Should that be in SSP? Should it be in something else? Should I
encourage all of the banks to use a non-standardized external mechanism
while y'all argue?
When you read the ssp-reqs, did you find what you want there? If not,
then why not write the relevant paragraphs and see if people like them.
That's how things get done, as opposed to argued about.
Stephen.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html