> At base the former seems to move SSP from being a basic means of > checking for rogue mail, into recruiting the receive-side to be an agent > of the From-field domain owner, for enforcing potentially complex > operational rules.
IMO, "recruiting the receive-side to be an agent of the From-field domain owner" probably goes too far. I certainly don't feel I am an "agent" of the RFC2821.mail domain owner when I do my SPF checks. Nor am I the servent of the PRA by virtue of doing Sender-ID. Rather, those who employ SSP are "agents" working on their own behalf in an attempt to utilize another authenticity vector in order to provide the most trustworthy mail service they can. "for enforcing potentially complex operational rules" - SSP is simply an gathering mechanism. Any complex operational rules are at the discretion of the receiver post-SSP right? > Absent compelling demonstration of market need, I believe that the need and duty to protect ones domain from unauthorized use is (or should be) presuppositional and therefore needs no demonstration. However, are you saying that the market has no need for SSP? What constitutes "compelling" and are we qualified to determine that in the IETF? > why are we considering something that, to my knowledge, > has no experiential base for the scale and complexity > of the open Internet? SPF provides, at least partially, the experiential base for something like SSP doesn't it? It is deployed widely, is DNS based, and is more complex than SSP. Yet the market seems to have embraced it. -- Arvel _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
