When a message is received the only thing we truly can determine is the IP it came from (in most cases)no matter what authority or ruleset that subsequent headers assert. Now DKIM asserts responsibility for signing but may not be the sender. Perhaps SSP should be asserted by the signing domain so responsibility can be narrowed to a single party. I see a lot of DKIM spam in the wild so we will have to ascertain reputation/accreditation regardless but at least we will have an entity of some sort to assign responsibility to. Highly phished sites will have look-a-like issues regardless of what we assign as determinate SSP lookup headers.
Thanks, Bill Oxley Messaging Engineer Cox Communications 404-847-6397 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Fenton Sent: Thursday, January 17, 2008 12:45 PM To: Jon Callas Cc: [email protected] Subject: Re: [ietf-dkim] Re: ISSUE 1525 -- Restriction to posting by firstAuthor breaks email semantics Jon Callas wrote: > > I think we should fall back to a minimal SSP that contains only the "I- > SIGN-ALL" policy, and we let the real-world deployment and desires for > additions control more in SSP than that. SSP2 can start in a year or > two, and then we see what is needed in the real world. We can even > have experimental things in the field to test them. That's a suggestion in a different direction (issue #1520). The issue here is how we obtain the policy, be it the minimal "I-SIGN-ALL" that you advocate or the richer policy that is in the current draft. Is it queried based on the [first] author's domain, the authors' domain(s), or the sender's domain? -Jim _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
