Steve Atkins wrote:
A message is identified and defined by it's content. You cannot claim
responsibility for a message with also claiming responsibility for the
content of the message. If the content were to change, it wouldn't be
the same message.
The word "responsible" can be quite vague, and this was intentional.
When Yahoo or AOL or Google or... sign an outgoing message, they are clearly
not saying that the content is truthful. They are, perhaps, saying that the
message came from a valid account on their service. Or they might be saying
something even weaker, such as "this did come through my MTA".
The danger is in thinking that a signature (or its absence) has more
substantial meaning, absent extensive knowledge about the signer or whoever is
vetting them.
To: dcrocker
From: epimenides(_at_)crete(_dot_)gr
All Cretans are liars.
If that is validly dkim signed by crete.gr, that doesn't make the
content valid. Nor would it were it PGP signed by epimenides(_at_)crete(_dot_)gr(_dot_)
But I thought it was supposed to mean that it was authored by epimenides.
That is, that the From address is really the author of this content.
DKIM doesn't make that strong a statement.
(If it were dkim signed by blighty.com then crete.gr *could* assert, via
SSP, that the From field is not correct, and perhaps that the entire
message should be treated with some little-S suspicion.)
(SSP's use of the word 'suspicion' is a different line of problem to consider.
It is SSP's way of trying to give direction about the behavior of receive-side
filters.)
That is only one of SSP's features.
OK, it also allows you to make negative assertions about validly dkim
signed messages where the domain name of the From field and the signer
differ. It's still only capable of making negative assertions about
validity ("the content is not valid"), though.
Which means that it is making statements about validity.
But a DKIM signature does not.
Discussions about SSP seem to conflate From field domain name
correlations with "brand" representation authenticity in the message.
That type of issue is what prompted my sending my note.
SSPs goal is the same as SPFs original goal - to protect the sanctity of
the user-visible From address - but I've not really noticed that being
conflated with "brand", "friendy from" or any of the other user visible
parts of the message much. Do you have an example you're thinking of?
Hallway conversations about expectations for SSP.
In general, the model of a potential signer directing a potential receive how
to handle a message with the potential signer's domain name in the From field
is rather directly targeting brand protection.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html