> Step three: fix the status quo for *participating* MLM's by offering up > a new technical solution that enables MLM's to assert that they've > validated the original sender's signature.
Not to pick on Paypal specifically, since this is a general failure of ADSP, but: We want everyone to throw away mail from us that doesn't have our signature. no, wait, ... We want everyone to throw away mail from us that doesn't have our signature EXCEPT if it has an A-R header showing that it was signed when a MLM received it. no, wait, ... We want everyone to throw away mail from us that doesn't have our signature EXCEPT if it has an A-R header showing that it was signed when a MLM received it AND it has a signature from the MLM to show it's actually from the MLM no, wait, ... We want everyone to throw away mail from us that doesn't have our signature EXCEPT if it has an A-R header showing that it was signed when a MLM received it AND it has a signature from the MLM to show it's actually from the MLM AND the signature is known to the recipient to sign mail from real MLMs. no, wait, etc. I entirely endorse Paypal's efforts to make it easy to identify their mail and easy to throw away the forgeries. But you (and anyone else whose transaction mail is a forgery target) shoot yourself in the foot every time you make the message more complex, since that makes it less likely that people will go along. In particular, all of the normal mail from paypal.com says one thing, log in and look at your account, so losing the occasional message isn't a big deal since you can find what it said on the web site. Now you're saying, well, actually, there's some paypal.com mail that says other stuff that you can't reconstruct, and that mail may well show up without our signature. Really, really, don't do that. R's, John _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html