On Thu, 30 Nov 2006 12:33:10 -0000, Scott Kitterman
<ietf-dkim(_at_)kitterman(_dot_)com> wrote:
Not quite. What I want to be able to do with SSP has nothing to do with
user
interface.
But users might not share you opinion of that. If the user's MUA has no
part to play in the matter, then the only options for his upstream is
"drop" or "not drop". Some users might be happy to devolve that
responsiblity to their upstreams. I would not, unless I had considered
their policy and agreed to go along with it (as I do actually; I have set
a Spamassassin score of 4+ which my provider devnulls for me; below that,
I inspect the mail myself).
In your example, let's say that foo.com is a heavily phished domain that
has
published a signing complete SSP. In this case I have received a message
that is outside the criteria of their declared SSP. They have published
such
an SSP knowing that it will cause some legitimate use classes of mail to
fail
(e.g. mail sent through mailing lists that break signatures), but that
the
benifits of combatting exact domain forgery are worth the cost (this has
been
extensively debated on the list already and the group is divided on this
- I
don't propose to redo this debate).
OK, I think each domain has to establish its own level or paranoia, and we
can rank SSP policies in some order. So, for the most paranoid:
We sign everything
All our from addresses are single role addresses so we never add Sender
Our staff are forbidden to subscribe to mailing lists
Our staff are forbidden to post to Usenet
Our staff are forbidden to forward mail that is received
Our staff are forbidden to resend mail that is received
We actively request all other agents through which our mail passes to drop
it silently and with extreme prejudice if the signature fails to verify
There are NO exceptions to these rules.
And then you can gradually drop thos restrictions to achieve lower levels
of paranoia, so that at the bottom you would have:
We run an open relay, and are happy to sign anything that is passed
through us.
And yes, it might be a good idea for us to prepare a ranked list of SSP
policies/features, with a view to discussing what sensible policies might
be when faced with each. But I think all here would agree that the great
majority of domains will place themselves well down the paranoia scale
from the extreme example I have given.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html