[ietf-dkim] A more fundamental SSP axiom

[Douglas Otis]

On Sat, 2006-08-05 at 04:46 +0000, Mark Delany wrote:
> > >That's a matter between the "I sign all" and the list. I would say
> > >that if it hurts, don't do it.
> > 
> > No, the sensible user will accept all the mail from the list.  With
> 
> Well maybe, but that's not the intent of my style of "I sign all".
> 
> If "I sign all" I would much rather no one accept a mail purportedly
> from me that doesn't verify. Why would an "I sign all" domain want
> mail accepted that can't be proved to be from them?
> 
> But them I'm missing this whole "list" issue. It seems to me to be
> largely a red-herring because the size of the intersection of "I sign
> all" traffic and DKIM-unaware Lists is pure speculation at this stage.

Consider that "I" may be in regard to a list of domains.  As such, there
would be two statements that could apply. "I sign all" and "Only I sign"
as an indication of whether the "I" list is complete.

The reason for making the stipulation of the list being complete would
be to indicate non-complaint services will not be used.  A financial
institution would most likely want to make this stipulation, where
concerns regarding issues related to things that might look like
e-invites, or mailing-lists are rejected without further examination.
For the vast majority of domains, "I sign all" where the list of other
possible sources is defined as incomplete would be a better choice. 

When "I" refers to an empty list, "I sign all" would then mean my
messages may or may not be signed, and an empty list with "Only I sign"
would mean this domain does not send mail.  

The default assumption of a listed domain in the policy would be to
assume "I sign all".  This could even be called the "I sign all" list.
The only embellishment needed would be the "Only". The default policy
when none is found would be an empty list with the assumed "I sign all"
assertion.

-Doug 



-Doug