On Sep 6, 2006, at 10:14 AM, Michael Thomas wrote:
All of this talk about additional requirements for user level ssp
ignores the basic question: should there be any requirements for
user level SSP at all? If so, what are the use cases? I'm not
terribly convinced that even that has consensus -- this is the
first that I even recall the subject being raised.
When a large financial institution wishes to have a specific email-
address receive added assurances via annotations, then having a means
to include these addresses within policy satisfies this desire
without specific arrangements made separately with each verifier.
The current strategies for financial institutions require an
assertion that _all_ messages be signed. Not all messages from a
large domain warrant receiving annotations of added assurances
however. Having a means to convey which email-address warrants this
annotation can be accomplished via policy.
Rather than a direct translation into a DNS label, a base32 encoding
of a SHA-1 hash ensures long local-parts, UTF-8, and subaddress
symbols can be handled by this scheme. (SHA-256 could be used, but
there does not seem to be a need for this extreme.)
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
