[ietf-dkim] "I sign everything" yes/no
Stephen Farrell
stephen.farrell at cs.tcd.ie
Tue Nov 21 15:16:09 PST 2006
J.D. Falk wrote:
> Imagine, if you will, that I'm a big ISP with lots and lots and lots of
> consumer type end users who prefer to stay clueless about the
> intricacies of e-mail.
>
> A message comes in which claims to be from the First Amalgamated Bank of
> Example. An entirely separate, unrelated mechanism has already told me
> that example.com really is the domain name used by the First Amalgamated
> Bank of Example, and that they're a real bank with tellers and vaults
> and bulletproof glass and all that fun stuff.
>
> But this message isn't signed (and/or the signature is invalid, which
> base says is the same thing.) How do I find out whether or not the
> First Amalgamated Bank of Example thinks that they sign all of their
> messages? That should be a simple, binary operation, right? I really
> don't care about anything else the sender may want to assert.
>
> Should that be in SSP? Should it be in something else? Should I
> encourage all of the banks to use a non-standardized external mechanism
> while y'all argue?
When you read the ssp-reqs, did you find what you want there? If not,
then why not write the relevant paragraphs and see if people like them.
That's how things get done, as opposed to argued about.
Stephen.
More information about the ietf-dkim
mailing list