On August 19, 2005 at 17:23, Douglas Otis wrote:
Different levels seem to suggest shifting accountability to
coincident mailbox-domains, or even listed mailbox-domains, when
accountability is not fully attributed to the signing domain.
Mailbox-domain selection and related permission structures will prove
disruptive and problematic.
And I am not talking about that in this discussion. As DKIM is defined
now, the authorization structure within a domain is domain-defined,
and outside of the scope of DKIM.
What I am trying to get clear is your view of DKIM should be. I may
or may not agree with it, but I'm trying to get a clear understanding
of it.
In effect, mail will simply not function
properly, while creating significant risk depending upon how
accountability is dispersed within a multi-level scheme. Simple non-
header assertions are possible where DKIM ignores the mailbox-address
entirely.
A tangent that does not concern me now.
What I am trying to understand is your view of "accountability"
at the *domain* level, with respect to other domains involved
in the transmission of a message and how this would be part
of the DKIM specification.
When a message is transmitted, there is always an initial domain,
and I have been calling this the _originating domain_. How that
domain determines who is authorized to send messages out from that
domain is specific to the domain and its governing policies.
During message transmission, there may be intermediate domains.
Examples: Forwardings services, secondary mail exchangers,
third-party service filters. Each domain has a different role
in the transmission of the message.
In your view, if all the domains do DKIM signing, are all the
domains equally accountable (or claiming equal accountability),
regardless the role they play?
It appears your discussion of accountability is really something that
sits on top of DKIM, since trying to standardize "accountability"
seems impractical.
Are all you asking for, at the DKIM specification level, is for DKIM
to provide a domain-based message signing specification indicating
"here is what I am transmitting out"? SSP is not part of the equation.
With the core signing specification, things like accountability and
reputation systems can be reliably built.
Things like anti-spoofing and anti-forgery should not be part of DKIM?
By authenticating the HELO, name based reputation could substantially
replace IP address based reputations.
Are you refering to an SPF-like system here?
(I know, this a distraction, so you we can discuss later).
--ewh
_______________________________________________
ietf-dkim mailing list
http://dkim.org