> [mailto:[EMAIL PROTECTED] On Behalf Of John L
> It's true, I don't, and I've been trying to figure out why > not. It finally came to me: senders are not the right people > to judge their own importance. True but senders can state whether: 1) They have been accredited as a financial institution 2) They have been a target of phishing attacks And most importantly 3) Whether they sign all their outgoing email or not. > When I think of SSP records saying dump mail if it's not > signed, I see a bunch of tiny gorillas*, beating their teensy > chests and saying in high squeaky voices, "Beware, oh > Internet, of the Scourge of Criminals attempting to forge the > image of my Inestimable Personage, and do not DARE to be > fooled by these Base Mockeries of Communication!" The only > reasonable response from everyone else is somewhere between > "Huh?" and "Get real." The fact that a few chimps might try to use the mechanism does not mean that there are no gorillas with legitimate reasons to do so. All that policy does is to describe the sender's outgoing email configuration and possibly provide some description of the sender. This has almost nothing to do with what a third party might do in this area. It makes little sense to attach accreditation records to the domain, they should attach to the key record. Speaking as the Principal Scientist of the largest Internet accreditation provider (larger than the members of DAC put together) I do not see a reason why third party accreditation should be preferred over self-accreditation for the negative accreditations in this particular instance. If someone is saying something positive about themselves then that is something that you probably want to have a third party there to provide an independent view. If on the other hand someone is making a statement of the form 'I am not trustworthy' or 'Anyone who fails to authenticate as me is not me' then self accreditation works fine and is a necessary compliment to giving the TTP asserted positive assertions value. > If the ABA or the FDIC published a list of domains used by > member banks to send signed transactional mail, I would find > that really useful. A list of people who think they are as > threatened by forgery as those banks is useless other than > for entertainment value. That is a parochial view. The ABA is not an international organization and shows no inclination to repeat the routing number role. Unless you can provide an active member of these organizations who says that they want to do this role the suggestion is futile. My interactions with bankers through the APWG strongly suggests that they do not want this role. > So that's the problem with SSP. Whatever your policy is, > unless you're someone I already have reason to be interested > in, I don't care. While it is true that I may wish to obtain additional information before acting, a mechanism that signals to me that there may be such information to find is still useful. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html