Eliot Lear wrote:
Arvel Hathcock wrote:
The SSP specification needs to be modified to remove all directions
for recipient actions, instead limiting itself to statements about the
actions of a potential signer.
This is a manifestation of the thinking that providing guidance to a
receiver about what you might like to see happen is a violation of
some Internet taboo. I just don't see a problem here.
I'd have to agree. I thought the point of SSP was for the sender to
provide the receiver on guidance on what it would like done with
messages that are believed to be inauthentic. While I understand Dave's
concern about organizations communicating policy, if this is a start, so
be it. It's very constrained.
The distinction is subtle but SSP is more about a declaration of
expected DKIM operational behavior.
Its like going to the toy store for x-mas stuff. All the external
promotional, advertisement, boxing materials is such that we make that
purchase with a natural expectation to get what we pay for.
But poor little Billy opens the box and finds that it doesn't contain
something that was expected. Our choices are typically clear:
- Don't worry, tell little Billy its good enough
- Don't worry, after all its from Toy-R-Us or is it really?
- Return it, Take it back!
who knows, Sue someone, class action lawsuit!!
The point is, here we want to unleash this new system with DKIM
signatures and worst, in default neutral and mediocre manner where there
is a high degree of QA controls lost.
Its all good when the vendors QA is perfect. When it is not, people
either accept or or do something about it.
A great example of a well known brand name getting exploited:
I have this Toshiba Laptop, a great laptop. I will always pay a little
more for my stuff at home and at business to get the well known QA and
support for those "just in case" situations. The laptop hard drive was
failing. Still under warranty, Toshiba support sent me to the nearest
Certified Toshiba Repair Shop in Miami.
The end result was this:
I expected a 100% Toshiba hard drive replacement. Thats in the Warranty.
Something was still not right with it. What was provided was a "fake
clone" with some internal name of "TosQhiba" or something like that. It
was not Toshiba product or even a certified manufacturer. It was
unknown, no web reference, nada. Calls to Toshiba HQ quickly resolved
that problem.
So even if we want to put our trust in brand names, even they can be
exploited and directly receiving material from Certified vendor shops
(senders) does not guarantee satisfaction.
Most of the times, you have to go to the source to get things resolved.
John Levine's NY Times (Sender), Arvel (From Address) example is another
example of where we are allow mediocrity to persist. I would think that
the NY Times would be very interested to know that somehow, something
was not right with that transaction.
--
Sincerely
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html