[Top] [All Lists]

Re: [Asrg] Third party DKIM signatures

2006-06-02 11:53:30
Dan Oetting wrote:

On Jun 1, 2006, at 9:50 PM, John Levine wrote:

I said earlier that the ISP could quarantine outgoing mail until the
confirmation succeeded. Even better would be to reject the mail in
the smtp transaction from the user to the ISP with a comment that a
confirmation email has been sent to the From address.

What a complete waste of effort.  If I were an ISP using DKIM, I would
be sure there was a header in my outgoing mail with enough info to
identify the customer (opaque token is fine), and include it in the
signature.  Then if a recipient objects, I know who the guilty party
is regardless of what address he used.

I did state in my first post:

It may help to preemptively address the forgery issue if the ISP were to insure that the From address were valid before signing the message. But this is an issue between the ISP and the user.

I'm not suggesting that ISPs should be required to filter addresses. Just that for some ISPs it may be beneficial.

Because a DKIM signatures can provide indelible proof that abuse originated at a specific ISP, they are going to put added pressure on ISPs to control the abuse. Even after the ISP boots the abuser the evidence of the abuse will still exist.

Yeah, but... large providers suffer from the Usenet Death Syndrome -- that you can threaten a provider, but the likelihood that you're ever going to pull the trigger on them is really low. Maybe it works to some degree on the social/shame level, but the technical level seems pretty remote. What _does_ seem more likely is that we'll be able to get a better handle on senders who are abusive but not drawn from large user populations, spammers being one form of that population. If we can set up a situation where they are faced with two choices: stay in the ever increasingly toxic sewer of unauthenticated messages, or authenticate their messages which allows reputation to accrue, then we'll all be in a much better position. I guess the same goes
for third party signatures too.


Asrg mailing list