[mailto:owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org]On Behalf Of Eric
Sent: Tuesday, August 02, 2005 9:35 PM
To: Jon Callas
Cc: ietf-mailsig(_at_)imc(_dot_)org; hartmans-ietf(_at_)mit(_dot_)edu;
Subject: Re: Comments on draft-allman-dkim-base-00.txt
Jon Callas <jon(_at_)callas(_dot_)org> wrote:
We put spam and phishing last, and identity protection first, for the
exact reasons that you stated at the first MASS BOF: these are social
problems, and do not lend themselves to a purely technical solution.
We consider DKIM to be an authentication foundation for accreditation,
reputation and other authorization services. Presently, there is not a
good, reliable mechanism to build these on other than IP address. DKIM
uses digital signatures to provide that foundation.
You can't ignore the fact that the reason people are interested
in this is as part of a spam/phishing filtering system. In
such a system, the value of reducing identity forgery is
primarily to enable whitelisting, which has the purpose of
reducing false positives. So, it needs to be asked whether that
is a useful technique.
That may be true from the receiver's perspective. From the signer/sender's
perspective the primary value of reducing identity forgery is defensive. As
a sender, what I want is for the forger/spammer to use some domain other
than mine or the ones I'm responsible for. If signing with DKIM and
publishing a policy saying that all messages are signed with DKIM provides a
sifficent deterrent for the forger/spammer to go elsewhere, then from the
sender's perspective it's a victory. It's the flip side of the same coin.