Dave Crocker wrote:
Folks,
Here's thought:
Both the SPF/Sender-ID history and the current DKIM discussion about SSP involve
enforcing a linkage between "originator" ID and "handling agent" ID. It is also
the basis for private lists maintained by some recipient sites. (It also came up
during CSV development, the the specifications did not reach quite that far.)
As a matter of simplifying the situation for some interesting set of messages
that are received, it is clear that folks believe it useful to have a way of
enforcing a linkage between these two types of identities.
A number of us believe that it's not just useful, it's essential.
The simple form of the test is:
If an originator's site invokes this linkage as a public policy, and
if a message fails to satisfy the linkage,
then the message should be treated as having invalid
origination information.
There are various types of identifiers that relate to the originator and
various others that relate to handling agents. I've tried to avoid listing
specifics in order to focus on what seems to be an underlying requirement.
In fact this requirement seems so basic and pervasive that
I am wondering whether it is necessary or appropriate to
restrict it to a particular authentication technique?
We beat this around a lot on spf-discuss last year before getting
distracted by MARID. Not much on the topic was accomplished, but it did
seem pretty clear from that discussion that each technique would need
it's own method of linkage in order to produce a clear result for that
technique. How to combine the results from different techniques is a
meta question that clearly reaches beyond any one approach.
Equally I am wondering whether it is not distracting from the core DKIM
authentication work to emphasize this particular requirement prior to
deployment of a signing/validating mechanism.
As I've said before, something like SSP is essential.
It is trivially simple for me to S/MIME sign every message I send and
slightly less trivial, but not difficult, for me to arrange to have
every message sent by my domain S/MIME signed. Almost anyone can sign
S/MIME, but almost no one does. PGP is slightly harder in my case, but
not difficult. Once again, almost no one does.
You are trying to simplify yourself out of having significant marginal
utility over existing solutions that are deployed, but not utilized.
In other words, it is starting to look as if the mechanism for enforcing
originator/handling linkages needs separate focus from techniques for
performing authentication.
Thoughts?
DKIM needs it's mechanism for doing this.
Combining results from multiple techniques is a separate question that
ought to be tackled by somebody. I have thoughts on how to do that, but
they aren't on topic for this list. Unfortunately, I'm not quite sure
what list they are on topic for...
Scott Kitterman
_______________________________________________
ietf-dkim mailing list
http://dkim.org