On Sat, 19 Nov 2005 07:27:10 -0800 Douglas Otis <[EMAIL PROTECTED]> wrote: >On Fri, 2005-11-18 at 22:29 -0500, Scott Kitterman wrote: >> >> That or the title of the thread is bogus. >> >> I could equally say if we were trying your approach something like Doug's >> non-SSP security relies upon every MUA in the world being upgraded and is >> useless until then. >> >> What you appear to be saying, once again, is that SSP is useless because it >> isn't a universal solution to phishing. > >Meeting the requirements of an SSP policy would _not_ be a safe basis to >highlight the message. This would assume the recipient recognizes >perhaps subtle differences in domain appearance. > > OK. That clarifies the supposed threat for me that you are attempting to describe.
What you are saying is that just because a message meets an SSP requirement is not a safe basis for an MUA marking them somehow good. I agree with that, but I think it's outside the scope of what this almost working group is supposed to do. IIRC, the farthest in that direction we go is an optional task for a header to communicate DKIM results. My view of restrictive SSPs is that messages that fail the restrictive test should be rejected during the SMTP session. This will reliably get the rejection notification back to a legitimate user and keep it out of any bad message folder I have to periodically review. I think you miss the point about the potential value of restrictive SSPs to the receiver. I don't need better methods to sort messages into folders. I will need better methods in the future to avoid having to deliver bad messages at all. OK. So, bottom line is that you aren't wrong, but I think your 'threat' is based on a false premise and out of scope. Scott K _______________________________________________ ietf-dkim mailing list http://dkim.org
