Greg,
GC> There is a problem with Domain Keys that Yahoo has not really addressed,
GC> and that is that DomainKeys may be "affirmative" (and say "This message
GC> came from domain X") but by itself it cannot be "negative" (meaning "Accept
GC> no messages without Domain Keys").
Clearly there is utility in being able to assert that an entire domain
is always signed.
However that policy assertion is separate from the basic utility of
having messages be signed. If a signature validates, you know
something useful.
If a signature fails to validate, you are not all that much worse off
to treat it the same as if there were no signature at all. Yes, you
can handle that condition better if you know that signatures must be
present (and valid) for a domain, but that is an enhancement to
overall processing, not a requirement.
Interesting policy stuff has no large-scale operational history over
the Internet, so we should approach it cautiously. Forcing a proposal
to include any sort of interesting policy mechanism is a good way to
bog it down.
GC> But, since they don't seem to be participating, I guess they are planning
GC> to create something extraneous. If they really wanted the internet
GC> community to support their new proposal, they probably wouldn't remain
GC> silent and/or blind to other things happening in the email industry.
Yahoo has the rather strange notion that it is good to be able to
demonstrate that a proposal works, before tossing it out for
standardization. They seem to be operating under a historical
distortion. Something about running code.
d/
--
Dave Crocker <mailto:dcrocker(_at_)brandenburg(_dot_)com>
Brandenburg InternetWorking <http://www.brandenburg.com>
Sunnyvale, CA USA <tel:+1.408.246.8253>, <fax:+1.866.358.5301>