Hi Douglas,
At 11:06 17-02-2006, Douglas Otis wrote:
Should these reports go to the email-address domain owner or to the
signing-domain? Who can fix the problem?
The r= email address is for reports and inquiries about the signing
policy only.
Agreed. If there are to be reports allowed, these should be reports
to the entity able to take corrective action, the signing-domain.
Reports are useful in the testing phase to detect broken signatures
at the verifier's end. We cannot "trust" the email from the
signing-domain if it fails verification which makes sending the
reports questionable.
A restriction limiting reports to the email domain will not prevent
abuse. Do not assume closed policies are in place. Do not use this
reporting mechanism as a method to punish email-address domain owners
not publishing closed policies. When the only logical choice for
open-policies is to not use 'r=' email-address vector, how does one
still allow a means to report abuse to the signing-domain?
The "r=" tag is optional. Publishing it is not asking for
punishment. It is to allow the signer to take corrective
action. The restriction limits the scope for a denial of service.
The "r=" tag is not for reporting abuse. I used "abuse(_at_)example(_dot_)com"
as an example only.
Regards,
-sm
_______________________________________________
NOTE WELL: This list operates according to
http://dkim.org/ietf-list-rules.html