On Thursday 17 August 2006 11:44, [EMAIL PROTECTED] wrote: > Big gaping hole, I may assume that isp.com can determine the > author/originator but how to differentiate or not sign a spoof?
It gets back to is the signer controlled or uncontrolled. Only a controlled signer is suitable for SSP delegation (this would be a contractual matter between the ISP and their customers). Typically, today, ISPs that allow foreign mail identities operate uncontrolled. That is, any user authorized to use the MSA is allowed to use arbitrary identities. This would have to change. I expect that for large ISPs it would be impractical to go back an validate their entire userbase and so this might be offered as a premium service for the class of customers that would care. Operationally for an MSA this is trivial (at least based on my experience with Postfix, my MTA software of choice), the major challenge is the administrative effort needed to verify authorization to use an address. When we get to writing the internet draft with the SSP specification, I will volunteer now to write the words explaining all this so people have no excuse if they screw it up. I will keep writing until there is agreement that the issue and how to mitigate it is described accurately. Scott K _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
