no, it doesn't follow. in particular, it presumes that the present "bad
actors" and the future "bad actors" are similar, or that they're engaged
in similar activity. it's entirely likely that authentication will
change the behavior of bad actors, but that doesn't mean that bad actors
won't benefit by signing mail.
Agreed. But we should not let it prevent us from addressing problems
when possible. Bad actors will always find ways to exploit systems,
so the realistic goal is to increase the costs to execute exploits,
minimizing the attack vectors available, and minimize the damage when
exploits occur.
If then only bad actors we were concerned about were phishers then I'd
agree. When we include spammers in the set of bad actors then the
situation becomes less clear. Making it slightly more difficult for
current bad actors to spam might well make spam considerably more
attractive for a much larger group of bad actors who don't mind
authenticating their spam. I don't think reputation services will help
much for several reasons - one is that new identities are easy to
create, another is that it's fairly easy to end up in a situation where
the reputation services don't help you distinguish spam from ham because
nearly everyone has a somewhat tarnished reputation.
I definitely agree that much of the threat analysis that has been
provided is oriented around the DKIM solution; i.e. tailor the problem
to fit the solution.
To me, DKIM appears to only address the forgery problem. Dealing
with forgery will not eliminate undesirable mail (which btw, is
a subjective term), but can address the damage forgery can do to
identities being forged.
Yes, but if DKIM only addresses the forgery problem, it can actually
make the spam problem much worse than it is now. That's why I think
it's important that the spam problem be considered concurrently - if not
within the scope of a DKIM working group then there needs to be another
working group and close coordination between the two.
Re: undesirable mail being a subjective term: you are of course correct.
But that's the nature of spam - what is spam to you might not be spam
to me. This becomes even more true when the bar for spam is raised
enough that the spam isn't for confidence schemes and sex-related
services but instead for consumer products. When this happens it will
still clutter our mailboxes with noise that interferes with our ability
to conduct communications that we desire. So trying to define spam in
an objective way misses the point.
It may not be essential that any proposed solution address all types of
forgery, but the solution must not facilitate other forms of forgery.
For example, if a proposed solution addresses domain-based forgery,
the solution must not facilitate address-level forgery: bad actors
should not be able to exploit the "trust" of domain forgery protection
to perpetrate address-level forgery.
agreed.
Keith
_______________________________________________
ietf-dkim mailing list
ietf-dkim(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/ietf-dkim