[ietf-dkim] user level ssp
dotis at mail-abuse.org
Wed Sep 6 11:00:10 PDT 2006
On Sep 6, 2006, at 10:14 AM, Michael Thomas wrote:
> All of this talk about additional requirements for user level ssp
> ignores the basic question: should there be any requirements for
> user level SSP at all? If so, what are the use cases? I'm not
> terribly convinced that even that has consensus -- this is the
> first that I even recall the subject being raised.
When a large financial institution wishes to have a specific email-
address receive added assurances via annotations, then having a means
to include these addresses within policy satisfies this desire
without specific arrangements made separately with each verifier.
The current strategies for financial institutions require an
assertion that _all_ messages be signed. Not all messages from a
large domain warrant receiving annotations of added assurances
however. Having a means to convey which email-address warrants this
annotation can be accomplished via policy.
Rather than a direct translation into a DNS label, a base32 encoding
of a SHA-1 hash ensures long local-parts, UTF-8, and subaddress
symbols can be handled by this scheme. (SHA-256 could be used, but
there does not seem to be a need for this extreme.)
More information about the ietf-dkim