Steve Atkins wrote: >> Actually, I think that's the LAST step. My hypothesis is that >> different types of signers and/or verifiers (different use cases) >> perceive different threats. > > Well, without knowing what threats SSP is supposed to mitigate, it's > impossible to start analyzing how well it does so. So identifying the > threats certainly can't be the last step, and I can't actually think > of anything that comes before that. > > Where would you start?
Dangit, Steve, we're agreeing again. I'm going to start by documenting the many different-yet-overlapping use cases & related threats. The only difference from your earlier statement is that I don't think we'll ever have conesensus on The One True Threat Model; instead each different-yet-overlapping user of DKIM & SSP will have different-yet-overlapping concerns about each. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html