----- Original Message ----- From: "Dave Crocker" <[EMAIL PROTECTED]> Subject: Re: [ietf-dkim] SSP = FAILURE DETECTION
> Wietse Venema wrote: > >> The purpose of a valid DKIM signature is to identify the party that >> signed the message. Whether this is a first-party or third-party >> signature is largely irrelevant. It's about accountability. > > It is interesting how vigorously and persistently this continues to be > misunderstood. Dave, it is NOT and NEVER WAS misunderstood!! Although I have major concerns about the conflicts with this new accountability and responsibility which undoubtedly leave itself open to legal scrutiny, the difference is that DKIM-BASE creates a new level of expectations and SSP is about the detection of failure and non-compliancy with the protocol consistency. At some point, this "accountability" has to have some redeemable value. You want receivers to play dumb and just return a VALID or INVALID state which still acceptable the mail. What I am telling you is that this regardless of what the SIGNATURE means, its failure will not be tolerated in wide adoption. So lets assume there is no SSP and we just have a pure DKIM-BASE verifier, what do you want us to do with the two possible end-results? - INVALID signature - VALID signature Do you want us to present 'something' to users and if so, how do you present this to the different users types? - ONLINE mail users? - OFFLINE mail pickup users? For the online users, our hosting software can present "something" -WARNING: something wrong with this message? -NOTE: This message seems to be ok! But how do you pass this information for the offline mail pickup users? Are you expecting them to be DKIM-READY to display this information themselves? If so, why should the MTA even bother to do DKIM-PROCESS and just let the offline MUA do the DKIM processing? The bottom line is that you still need to "FILTER" something at some level even if you don't use SSP at the MTA and I can assure you that without SSP, I am less willing to assume product liability issues by wasting time doing a ACCOUNTABILITY check at the MTA that has no payoff of eliminating mail. -- Hector Santos, Santronics Software, Inc. http://www.santronics.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
