On Mon, 2006-01-02 at 10:58 -0500, Tony Hansen wrote:
This thread was begun by the last call on the chartering of DKIM.
Can we please get back to the question of chartering DKIM?
The concern raised was not specifically in regard to the base DKIM
draft. There was concern with respect to the use of authorization in
conjunction with DKIM. DKIM considered independent of the email-
addresses does not not have the same potential for disruption.
This is not true with SSP:
1) Authorization has great potential to disrupt normal email practices.
2) Authorization is not likely to reduced the levels of fraud, but
rather changes tactics.
3) Misuse of authorization as authentication works to the benefit of
large domains or those with private restrictive servers.
4) Authorization shifts the burden of reputation onto the email-domain
owner, and may lead to a poorer systemic solutions.
5) Indications of an authorization to the recipient places them in
greater peril of being defrauded.
The base DKIM draft does not directly introduce these problems. When
used in conjunction with a recognition scheme (upon which expectations
can be based), far greater protection are provided without these
significant drawbacks caused by an authorization scheme. This approach
also imposes significantly less overhead.
Include the base DKIM draft in the charter, but with the SSP draft
excluded. DKIM permits many avenues for use. Perhaps one way to look
at the DKIM signature is that it provides an alternative identifier to
that of the remote IP address that would be more stable as a source
identifier.
-Doug
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf