On Sat, 2005-08-20 at 22:17 -0400, Scott Kitterman wrote:
Douglas Otis wrote:
With DKIM, a small list of trusted signing domains will exclude most
emails which need greater examination. The level of support to maintain
this type of trusted list would be less than the traditional IP address
white-list. By not binding the signing domain with the mailbox-address,
there can be greater consolidation which further improves the leverage
of such a list. Those implementing DKIM could benefit by this rather
practical use. Complaints directed to those permitting access will
benefit the industry in general, and again provide greater acceptance
with DKIM as the basis. When MUAs eventually display the signing
domain, this should also be to signing domain's benefit.
Aspects of the message content may become beneficiaries of a domain
binding later, but should not be included in initial offering to ensure
fewer operational issues.
I'm not certain, but I think you are saying that the benefit to me is
that I'll be put on a whitelist and it will be very difficult to get my
mail delivered if I'm not on the magic list?
Consider mutual benefits rather than that derived from one party
signing. As long as costs with respect to implementation are minimal,
barriers toward acceptance should also remain low. With low entry
barriers and eventual wide deployment, better access control and abuse
isolation can be achieved. On the other hand, problems requiring
extensive support with a new scheme will create substantial barriers.
User access must be controlled at the sending domain. This granularity
of control can not be done by recipients applying extensive rules based
upon excessive amounts of information inappropriately placed in DNS.
All of this complexity will fail as vain attempts to thwart targeted
behaviors of individual abusive users.
I don't have a problem with getting my mail delivered today, so I guess
if your view prevails, I can ignore DKIM until someone starts telling me
I MUST sign using DKIM or they won't accept my messages. I expect I
wouldn't be alone in that view.
Many will wait. This working group should not over sell DKIM. DKIM can
not directly prevent forgery or phishing. DKIM can not directly prevent
people from lying. DKIM will allow effective actions when problems are
reported. Offering this modest means to verify the administrative
domain will likely become a more significant acceptance factor which
should foster greater adoption.
Am I missing something here (wrt to benifit to a sender to sign)?
When you say "..will benefit the industry in general.." what industry
are you talking about?
By industry, I am referring to institutions and companies who depend
upon email to conduct business. Email is suffering with protocols that
currently do not offer effective means for locating and preventing the
repetitions of abusive behavior. DKIM is not improved by binding
mailboxes to administrative domains because that is not how email
currently works. Source isolation could improve greatly by an opaque
identifier which does not alter current email use. The administrative
domain would add this identifier assured to isolate any potential source
of abuse.
People (and manual filters) are good at recognizing patterns. A signing
domain with an opaque identifier will be a more effective deterrent than
complex and problematic bindings of server's domains with that of
mailboxes.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org