ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] draft-ietf-dkim-ssp-02.txt Discardable/Exclusive

2008-02-08 19:02:00
MH Michael Hammer (5304):
Is the potential benefit afforded a receiver by checking that SSP
assertion AND taking whatever (unspecified) action worth the effort
of doing so? If receivers are likely to have little or no
benefit/interest in checking SSP then the rest of the discussion
is moot.

In other words, is the juice worth the squeeze?

Wietse:
Spammers can use DKIM and SSP too. Therefore [..] the juice is
not worth the squeeze unless the receiver actually knows the
domain.  Perfect DKIM+SSP by a total stranger is relatively
meaningless.

MH Michael Hammer:
I'm asking in terms of the overall implementation. In a world
where all domains are strangers the juice is definately not worth
the squeeze.  That is the chicken and egg of kickstarting adoption.

The far majority of email is from strangers.  Specifically, there
is an awful lot of email with me as recipient from apparent senders
that I have no relationship with. I have no reason to believe that
my experience differs radically from that of other people.

Is the same true where half (or pick a percentage of your choice)the
domains are strangers? At what point do the benefits of checking
outweigh the costs of checking?

Honestly, I know of no reasons why spammers would start to send
less email. There is a lot of spam out there that has nothing to do
with domain spoofing and everything with gullible greedy recipients.

So if it isn't 3PS (01) and it isn't ASP (02) then what is it that is to
be identified/protected by SSP?

It's primarily about whitelisting what's "known to be good". When
I get mail that claims to be from a total stranger then it does
not matter if it is 100% DKIM/SSP compliant.

Is DKIM checking sufficient in itself without SSP? How might DKIM-SSP
help receivers (the 3 aforementioned as well as others) leverage their
evaluation of received email whether signed (valid or not) or unsigned?

"known to be good" whitelisting can be done with DKIM-BASE alone.

SSP etc. is about the ABSENCE of valid signatures, and can help to
strengthen the "known to be good" whitelisting process.

When I get mail that claims to be from a total stranger then it does
not matter if it is 100% DKIM/SSP compliant.

        Wietse
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>