John L wrote:
As I think has been hashed out before, it's utterly impossible to
keep people from creating lookalike domains.
And as I think has been hashed out before, if we attempt to boil the
ocean, which is what you're suggesting, we will fail.
Actually, all I was going to suggest was that if SSP purports to
manage addresses on the From: line, it should manage all of them
rather than arbitrarily giving N-1 of them a free pass.
Ah. I see. So you would require N DKIM signatures (where N is the
number of domains found)?
because simply SOMEONE taking responsibility for the message mandates
the need to establish reputation of that someone
Indeed. Does this mean you agree that SSP only applies to unsigned
messages? (Actual non-rhetorical question.)
No, because I make a distinction between just anyone and the person(s)
in the From line. I view it as a starting point from which perhaps UI
folk can make some headway. I think they'll need to do other things, of
course. I agree with you that the display name is what gets shown
today, and I'm not certain what to do about it, but we need to be
careful not to leave gaping holes.
But all of this being said, you said you were about to propose
protecting all addresses in entire From: line. I think that would be a
great idea. Why not send text, being mindful that we have to be careful
of potential reflection attacks through this mechanism?
Eliot
Eliot
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html