[ietf-dkim] user level ssp

[Jim Fenton]

Michael Thomas wrote:
> That may be a use (though pretty unlikely to me), but the use case
> that I've
> heard of is more aimed at securing things like statements at bigbank.com
> without
> having to say "I sign everything" for the entire domain which is
> assumedly a
> lot harder. The thing about this is that you can alternately set up a
> record for
> statements at accounts.bigbank.com or somesuch which would work the same
> way.
> I've heard it expressed that that is problematic for some people, but
> I frankly don't
> remember why at this point. Hopefully somebody can remind me.
Suppose that, at the domain level, bigbank.com can't say it signs
everything but accounts.bigbank.com does.  If someone received a spoofed
message from statements at bigbank.com which didn't contain a valid
signature, the fact that it didn't come from the 'accounts' subdomain
might not be noticed.

I'm just stating the argument, not advocating user-level SSP.  I think
the above problem is venturing too far down the slippery slope of trying
to solving a human-factors issue, especially considering the overhead
associated with user-level SSP queries.

-Jim