[ietf-dkim] Re: ISSUE 1521 -- Limit the application of SSP to unsigned messages

[Damon]

On Jan 24, 2008 2:50 PM, Arvel Hathcock <arvel.hathcock at altn.com> wrote:
> >> I would take this further: remove all text that says when to apply
> >> SSP.  Instead, provide text that states the contribution that SSP
> >> can make under different conditions:  mail with valid first-party
> >> signature, mail with valid third-party signature, and mail without
> >> valid signature.
> >>
> >
> > I mostly agree with Wietse's proposal.  Yes, I'm aware that diverges
> > sharply from the current draft.
>
> I could get behind Wietse's proposal also if it hadn't started with "I
> would take this further."  I'm concerned with the "this" he refers to
> which encourages avoiding SSP completely in the presence of a verifiable
> signature from just anybody whom-so-ever.  I view that notion as
> completely defeating SSP.
>
> Arvel
>
>

A number of years ago a friend confided in me that a company he worked
for, whom have always been considered to be good SMTP citizens,
inadvertently popped a hole in their firewall that allowed some SMTP
traffic to leak unfettered to the internet. One of the desktops had a
bot that sent the worst type of spam. The globally wholesome image of
the company, had it gone too long without being discovered, would have
been tarnished as the incident would have certainly found its way to
the media. This company certainly could have and would have taken
advantage of STRICT or ALL if DKIM/SSP were available at the time. If
this was to happen to this company again, with the proposed language
removed, all the bot would have had to do is sign the message and
those that trusted the company for so long would be in for a nasty
little suprise.

Regards,
Damon