Stephen Farrell wrote: > But yet again, each form of delegation has its issues.
Right, but those forms where the delegator can delegate without prior and explicit consent of the delegatee are beyond my no-nonsense limit. Ideally "explicit" should allow receivers to verify this. If an ISP uses a "we sign everything" strategy, and many customers belong to botnets, then a "bad actor" could register eboy (with an "O"), delegate eboy-signing to this ISP unilaterally, and phish using his zombies with accounts at this ISP. SSP shouldn't allow this by design. Frank _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
