----- Original Message ----- From: "Wietse Venema" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Tuesday, September 12, 2006 1:30 PM Subject: Re: [ietf-dkim] SSP = FAILURE DETECTION
>> hmmmmmmmmm, unless I didn't follow you right, I fail to >> see the distinction or your point. > > I get mail that pretends to be from my bank. The SSP says the mail > is 100% pure non-forged. However, the DKIM-BASE signing domain is > not in my list of trusted signing domains. I get a warning that > this mail could be sent by a party that I have no relationip with. > > This may be a revolutionary concept to some, but a widely used > application called ssh has been using such tricks for 10 years. > Its approach to opportunistic authentication is not perfect for > purists, but it works for real people. > > Having gone in circles twice, I think this is a good time to step > out of this thread. That's fine by me Wietse, but keep in mind that you mistaken by continuing to use a magic wand to change an apple into an orange, by using reputation is part of the total solution when in fact, it is suppose to be out of scope in this WG. We all have, or atleast most modern systems use white/black or reputation concepts. That's a natural. But that isn't part of the scope here. In other words, the problem is when there is no white list environment or more specifically an anonymous or unknown sender environment because that is where most of the problem lies - how do deal with the unsolicited unknowns. Anyway, I think we atleast in agreement that phishing will always remain to be a problem outside of DKIM and/or SSP and even Trusted List ideas. This requires, imv, ever evolving prologue interpretation of the message. -- Hector Santos, Santronics Software, Inc. http://www.santronics.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
