[ietf-dkim] list vs contributor signatures, was Wrong Discussion

[Scott Kitterman]

"John Levine" <johnl at iecc.com> wrote:

>>Similarly, with ADSP you don't have to rely on published information, and 
>>when information is published, you don't have to guess whether the 
>>publisher is competent. You can maintain your own list of domains that you 
>>trust to get ADSP right, and use standard software to apply that judgement. 
>
>Manual drop lists are a fine idea, but what do they have to do with ADSP?
>
>>1. Code reuse: Although you may choose to maintain your drop list, you 
>>don't have to write software for your MTA, you can just configure it.
>
>I'm happy to reuse the manual drop code in Spamassassin.  I still don't
>see what it has to do with ADSP.
>
>>2. Discoverability: You can find out from ADSP publications that the sender 
>>cares about this stuff. OK, it's still a leap to add them to your drop 
>>list, but you do at least have somewhere to start.
>
>Here's a thought experiment: let's say you have your list of domains
>that are known to be phish targets that sign their mail, so you drop
>unsigned mail, and they all happen to publish ADSP.  Someone's ADSP
>record goes away.  Is it more likely that they've stopped signing
>their mail, or that their ADSP record is temporarily messed up?  Why?

Or, I suspect most likely, they thought they were signing everything and then later something changed or they discovered they missed a piece of their infrastructure,  so they've retracted the policy until they've corrected the problem. 

Scott K