On 04/18/2006 15:43, Douglas Otis wrote: > On Apr 18, 2006, at 11:33 AM, Scott Kitterman wrote:
> > I would not say that we shouldn't include DKIM protection beyond > > SMTP, but that whatever happens after delivery shouldn't distract > > us from the primary use case. > > Or the primary goal of offering protection for all obtainable use cases? > I guess we disagree about MUA level verification being obtainable. I actually have some e-mail accounts I only check about once or twice a year. If we design for the MSA-MTA-MDA case, it should cover most typical MUA cases too. In the MSA-MTA-MDA case we can place an upper bound on how long from signing to delivery. With the MUA case, we could spend weeks arguing over it to no point. MUA level verification will never have the same level of reliability as MTA/MDA verification for a variety of reasons, of which this is only one, so lets not focus on it. If you'd like some experience with this, you can go play with the Thunderbird Extension for Sender Verification. http://taubz.for.net/code/spf/ In the end, deployed experience with DKIM will tell us how long to leave keys in DNS. No point in getting to worked up over it now anyway. Scott K _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html