[ietf-dkim] "I sign everything" is not a useful policy
dhc at dcrocker.net
Sat Aug 5 18:06:59 PDT 2006
Mark Delany wrote:
>> Having the signer or the ssp publishes tell the evaluator what they should do
>> with a message is not a good idea
> Why do you say that Dave?
> If SSP is not giving guidance/information to receivers/evaluators, who
> then is the target audience for SSP? And what do we want them to do
> with the information?
> An interesting twist to "telling evaluators", as you put it, is that
> SSP is a negative indicator. It's telling evaluators *not* to deliver
> unless the right conditions are met. Why would an "evaluator" be
> suspicious of a domain that encourages non-delivery of its own traffic
> when in doubt?
The signer knows everything there is about their own behaviors. They cannot
know very much about the context, needs, preferences, or much else about the
evaluator. Therefore they cannot know very much about what the evaluator
"should" do with a message.
Seriously. SSP can be entirely useful when stated in terms of the sender's
perspective. It does not need to pretend that is knows enough to give
directions to an evaluator.
We have done quite a good job, so far, of distinguishing statements about
signing from statements about delivery or non-delivery. The issue is not
whether the evaluator might be "suspicious" of a direction to perform
non-delivery. It is that it crosses a line into making presumptions about the
evaluator that a) the Internet technical community does not have experience
with, and b) we do not need to cross.
More information about the ietf-dkim