On Jan 24, 2008 2:50 PM, Arvel Hathcock
<arvel(_dot_)hathcock(_at_)altn(_dot_)com> wrote:
I would take this further: remove all text that says when to apply
SSP. Instead, provide text that states the contribution that SSP
can make under different conditions: mail with valid first-party
signature, mail with valid third-party signature, and mail without
valid signature.
I mostly agree with Wietse's proposal. Yes, I'm aware that diverges
sharply from the current draft.
I could get behind Wietse's proposal also if it hadn't started with "I
would take this further." I'm concerned with the "this" he refers to
which encourages avoiding SSP completely in the presence of a verifiable
signature from just anybody whom-so-ever. I view that notion as
completely defeating SSP.
Arvel
A number of years ago a friend confided in me that a company he worked
for, whom have always been considered to be good SMTP citizens,
inadvertently popped a hole in their firewall that allowed some SMTP
traffic to leak unfettered to the internet. One of the desktops had a
bot that sent the worst type of spam. The globally wholesome image of
the company, had it gone too long without being discovered, would have
been tarnished as the incident would have certainly found its way to
the media. This company certainly could have and would have taken
advantage of STRICT or ALL if DKIM/SSP were available at the time. If
this was to happen to this company again, with the proposed language
removed, all the bot would have had to do is sign the message and
those that trusted the company for so long would be in for a nasty
little suprise.
Regards,
Damon
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html