Date: Mon, 21 Jan 2008 23:06:33 -0500
From: johnl(_at_)iecc(_dot_)com
To: robert(_at_)barclayfamily(_dot_)com
CC: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: RE: [ietf-dkim] ISSUE 1525 -- Clarification about posting by first
Author
Sorry, I think I may have misunderstood your earlier point. When you say
SSP applies only to unsigned messages were you talking about excluding
valid third party signatures (I apologize if I misread that part of the
email).
Seems to me that no matter what we say, if a message is signed by someone
a receiver sufficently trusts, they're going to whitelist it, so it's
silly to try to tell them to do anything else. I'm inclined to completely
remove anything about what receivers do with mail with other signatures.
R's,
John
I agree with the part about not telling receivers what to do with a piece of
mail but I think there are two assumptions built into the premise above that I
have a problem with.
1) It sounds like you are saying that, unless I expect that a receiver is going
to use that fact as a binary decision point to accept or reject a piece of mail
it is not worth expressing
Since I am avoiding making any assumptions about how people intend to use
the data I think it is useful to be able to express a policy for how I expect
domains I control to be used. If some people find that useful sometimes and
irrelevant at others then I can't see that I'm worse off than I was before, or
that the receiving system is.
and
2) We have to build SSP assuming that people are only ever going to use this
information by itself and that they for some reason do not have access to any
other information about the sender.
I understand the idea of keeping reputation out of scope, and not making
assumptions about how people use the data. But the idea that all filtering
decisions are now and wil be forever a set of hurdles someone has to pass over
is just as big an assumption about how the data will be used, as assuming that
they will look at the totality of data they have about a sender. The fact is
that both cases exist already, and for the latter case any useful information
you add to those models makes them better. We don't have to make assumptions
(or worse prescriptions) about how people use the data to know that giving
people extra information is helpful.
Since there are a number of useful cases I can think of where domain owners
could for valid reasons say "I expect all mail using my domain to be signed by
me" I think this is a policy worth allowing in the spec (and no this is not
limited to big commercial mailers, many small corporate environments, and
environments with very strict legal regimes regarding how they archive their
email both jump out as cases where it would be entirely reasonable to express
that policy).
I don't think this qualifies as telling anyone what to do. Just conveying
my expectation of how certain domain owners expect their domains to be used. If
receiving systems still end up accepting mail from third parties they trust
that would be up to them. And, if you are using this data as a single hurdle in
mail acceptance, then like virtually any other single hurdle most systems use,
you're probably going to have some kind of whitelist for exceptions to that
test , but again that is entirely a matter for RECEIVER policy and is
independent of any assertions made byt the sender.
Robert
_________________________________________________________________
Need to know the score, the latest news, or you need your Hotmail®-get your
"fix".
http://www.msnmobilefix.com/Default.aspx
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html