On Nov 1, 2005, at 1:29 PM, Dave Crocker wrote:
SSP deals with matching the From to the DKIM identity. Did you
other matching in mind?
Although many wish to attribute an ability to directly relate the
From header with the DKIM signing-domain as a means to abate
abuse, this is a foolish quest.
1. You did not answer my question.
I did answer. See the comments below together with the deleted
portion of the message that you indicated as being non-responsive.
2. Calling folks "foolish" isn't very productive, particularly
when your views have repeatedly received countering arguments that
you seem to be ignoring.
Please note that I have called the "quest" foolish. What countering
arguments? Each of the purported problems could be handled by only
assessing the signing-domain. Where is this not the case?
Deleted portion of the message:
There is a prevalent use of "pretty-names" by MUAs, use of
different character-sets, look-alike domains, convincing sub-
domains, mixed together with many newly registered domains. The
abuse problem can not be confronted without the use of reputation
assessments on some identity.
These are the reason I gave for my assessment of the quest.
A goal of DKIM should be to ensure the identity assessed for
reputation reflects the administrator of the system, the signing-
domain. In the past, there have been "authorization" mechanisms
shifting the burden onto the email-address instead. SSP is
another such "authorization" mechanism, especially when plans for
a "third-party" signer list is considered. The unfortunate affect
of using the email-address to assess reputation is this precludes
the use of independent signing-domains.
DKIM should ensure the identity assessed represents that of the
administrator. Once again I expressed grave concerns about imposing
yet another flawed "authorization" scheme. There have already been
suggestions an authorized "third-party" signing list will be added to
SPP. Will hundreds of DNS lookups be required? Does this remind
you of anything that should _not_ be repeated?
This loss of independent signatures will mean that email-addresses
become tied to the provider, and third-party services are
forfeit. This is done in the guise that "authorization" is a
means to control the use of a domain. In reality, the signature
indicates how the domain is used. This is an attempt to shift the
burden onto the hapless email-domain owners.
With SSP, the email-address is considered an identity acting to
authorize a "signing-domain." The only way an email-address domain
owner could protect their reputation would be to prohibit use of
independent signing-domains. A very bad idea, as this will be highly
Using an indirect method to associate the signing-domain with an
email-address will offer better protections against all types of
spoofing, including phishing. Opaque-identifiers for example,
will prohibit the use of reputation against the email-address as a
mean to ensure that allowing and using independent signing-domains
do not become problematic for the email-address domain owner. As
it happens, this approach also deals directly with compromised
systems, and replay abuse.
With the indirect method where the signing-domain and the email-
address are considered independent identities, this ensures that
DKIM can be deployed without creating a great deal of havoc. With
the DKIM signature in place, the sending domains are better
protected from routing exploits. The MUA/MTA can also utilize
opportunistic security techniques that will prove superior to any
attempts at direct header relationships.
Here you will notice I explain what matching should be done instead.
An opaque-identifier coupled with the signing domain can be retained
as a means to match against any and all email-addresses. This would
not require the signing-domain to place any limitation upon what
messages may be sent and signed. The opaque-identifier would simply
indicate what account was being used. If Jon Doe had an account at
example.com and sent messages as Jane-Doe(_at_)some-other-example(_dot_)com/
<example.com>O-ID:002134688 would identify the actor for the
message. Example.com would not care how their clients identified
themselves, provided they did not receive complaints. The signature
would assure the recipient who should receive a complaint if there
was a problem.
I think that if you read the answer I gave, you will find that I have
answered the question. No direct association should be made as a
means to ensure the free use of independent signatures. Can you
explain how email-domain owners will not be coerced into excluding
the use of independent signing-domains otherwise?
ietf-dkim mailing list