p=reject is a extremely strict check: if it doesn't pass, the email service drops it. It is only for transactional business mail, and should never be applied to mailing-list mail. Ask the IETF authors.

Yahoo, AOL and friends were under severe pressure to "do something, anything". They did do something, it's just that ...

A week or so later the spam had proper signatures.

These mechanisms are only valid for "transactional" business email, where business correspondents need the email credibly labelled by the sending company. It's OK for stuff where you establish who to talk to by mail, telephone or wild-ass-guess, and make deals based on that lebel of security.

It's utterly inappropriate for mailing lists, remailers, discussion groups or material gatewayted between email and usenet or web services. The workaround are lies, told to convince the anti-spam functions of DKIM et all to let it through.

About a week after DKIM broke all the IETF and ISOC lists, the spammers were signing their spam so as to be deliverable once more. I was on the ISOC list at the time, and some unkind words got said about Yahoos.

We saw this happening in Canada some years back (Thanks, Drew!) with the government of the day proposing ISPs being turned into attractive targets for anyone wanting to impersonate people ("identity theft").

Worse, the kind of processing required to extract the metadata requires a machine the cost of one's main router, so people proposed ISPs should "just spool everything to disk" for a few days.

The next thought was to call for a longer retention period...

--dave
[It didn't pass, somewhat miraculously]

That's huge: in the UK the banks were temporarily able to do that by claiming chip-and-pin cards were secure (boy, was that not true). The courts threw it out, as you might imagine, but only after lots of people were defrauded.

In Canada, the banks are on the hook, and have refunded me both times their "unhackable" pin-and-chip card got hacked. We and the US are looking at card-and-signature systems, which have good customer protection as humans can verify claimed forgeries, just like cheques.

I'm David in general, DCB at work (there are lots of Daves), Orv as a nickname, Uncle Dave to my nephew when he was little, Mr Collier to all sorts of illiterate clerks. I have a pen-name, and a bunch of versions of my name required by email providers. My name also changed when I got married, as did my wife's.

When dealing with vendors I don't necessarily trust, I'm just "sir" and pay with cash. Considering the internet make it possible for vendors to be anywhere and anyone, I expect that we'll all to do more that way. My credit-card vendor, who already issues me single-use card-numbers for particularly suspicious vendors: I also expect to see single-use numbers with no name, just a single guaranteed amount.

Oh, and by the way, while I have to identify myself to get into the booth, my vote has no name attached.

--dave

It's front-page news for a soldier to be killed on duty in Canada. Believe it or not, it's also front-page news when an RCMP officer was killed on duty a few years back.

Canadians usually die from car accidents (or are eaten by polar bears (;-))

He was doing a ceremonial guard duty, as an honour. He probably didn't expect to be shot in the back.

The operational bases were on moderate alert, but apparently the PM didn't think he or anyone else needed to be careful...

If you don't care about constitutionality, you prohibit your legal draughtsmen from reporting on it, and you pass what you want. It's up to your opponents to find a good test case, and figure out how to pay for a challenge when they don't have standing.