> So if, during the threat analysis, we identify some such > constraints that make life easier/better when combined with > some ssp options then we could consider standardising them, > or did you mean that any such constraints should be just up > to the individual implementer/signer?
The latter. The point of a threat analysis is to identify threats, not to speculate about what the response people might want to make to the threats. If I were going to speculate about constraints on mail that might make it less likely to be spoofed, I could come up with a vast list, from excluding HTML and embedded URLs to insisting that all from and sender addresses be in the same domain as the signer, to requiring the signing domain in the HELO and rDNS of the sending host, to forbidding any MTA relays between the signing and validating hosts, ad infinitum. It's pure speculation and not useful since we have no experience at all with SSP like systems. Don't do it. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor "I dropped the toothpaste", said Tom, crestfallenly. _______________________________________________ ietf-dkim mailing list http://dkim.org
