By the way, speaking of trust and reputation services:
SSP does not say that my bank's domain belongs to a real bank.
If I am the bank, then I can ensure that messages purporting to be
from me are from me and nobody else.
SSP does not say that a criminal's domain belongs to a fake bank.
I know what banks I bank with. Someone at a fake bank with a valid ssp
and dkim will still likely be ignored. I know that at least MY bank
uses SSP and DKIM and I can trust that it is from them.
SSP does not help me decide which bank is real.
Again, I know who my bank is. If I get a message from BoA or a message
from the First Mountain Trust of Namibia, I believe I would not have
any trouble distinguishing between the two.
If anything requires a reputation service, then it is SSP not DKIM.
DKIM can manage just fine with a local whitelist.
I am aware that credibility on this list is inversely proportional
to the number of messages posted, and I will post corrections like
this infrequently.
I am not oblivious to what you are trying to say, but I believe that
this will at least keep us going in the right direction and give us
operational folks some tools with teeth. I am sure that when we build
it, they will come and reputation services will eventually part of the
tools. I just don't think it belongs in the draft.
Regards,
Damon Sauer
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html