Douglas Otis wrote: > > On Jul 27, 2006, at 3:40 PM, Jim Fenton wrote: >> I have a somewhat less tangible concern, too. If example.com >> publishes an SSP record saying that some mail provider is an >> authorized sender, and there is an abuse problem, will example.com >> feel the same responsibility for the use of their address as if the >> message had been signed directly "by" their domain? They may not, >> and I view any spreading of the responsibility to be undesirable. > > Regardless of the OA, spam will reflect poorly upon the signing > domain. Reports of abuse and expectations of who will resolve an > abuse issue always falls to the signing domain. There will not be > any "spreading" of responsibility. There is no means to know whether > the OA is even valid! The identity of the OA depends upon the > assertion made by the signing domain.
"Spreading" was perhaps not the right word to use. But the signature is now coming from a different place, so whom it reflects poorly upon is now changing. That makes it a fundamentally different thing than key delegation. Allowing a domain to delegate the ability to sign their mail and not holding the delegating domain responsible at all seems undesirable in that it doesn't discourage domains from doing business with dubious mailing services. -Jim _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
