On Sun, 2005-08-21 at 13:35 -0400, Scott Kitterman wrote:
Douglas Otis wrote:
This also, I think, brings to light an important reason for the
divergence in our perspectives. I believe that you are saying that you
think DKIM's usefulness is primarily in supporting reliable name based
reporting so that repetition of abuse can be more effectively prevented.
If I got that right, then I understand why you are only interested in
the signature piece of DKIM.
Personally, from my perspective as a receiver, I have little interest in
cleaning the mess up after the fact.
Phishing is not addressed by DKIM without unusual processing,
conventions, and exceptions. For anti-phishing, an industry list of
troubled domains meeting a new regime of conventions seems a practical
solution. The spoofing of the bounce-address can be handled by using
BATV, so let's take those issues off the table.
So...
Are you suggesting that by requiring the use of specific providers for a
particular mailbox-domain will determine before hand whether a message
will be abusive? Are you suggesting that mailbox-addresses are such a
rarefied commodity they _must_ be spoofed for there to be abuse? Are
you suggesting flag-day adoptions to establish this new paradigm?
There are far fewer domains. Predicting the probability of abuse could
be reasonably made at the domain, but never as easily at the mailbox-
address. The mailbox-address may or may not be limited to specific
accounts or even to specific providers. Is such criteria to resolve
abuse to the mailbox-address aimed at excusing a provider (the signing
domain) for their lack of good governance? Is this your desired
benefit?
Although such post-facto reporting mechanisms are useful in raising
the marginal cost of abusive behaviour,they aren't that helpful in
stopping abusive mail getting sent. The abuser just pops up
elsewhere.
Locating or correlating the source of abuse is key. A signed opaque
identifier would be far more effective in that aim, than a mailbox-
address which may or may not be unique across accounts or providers. An
opaque identifier would not require a disruptive forcing of new and
onerous practices in a move to constraining mailbox-domain use. Such
constraints, together with the incumbent support issues, will likely
create substantial barriers to adoption anyway.
As a receiver, MY primary interest in technologies such as DKIM is as a
method to prevent abusive mail from being delivered in the first place.
I want to reject it before I ever take responsibility for it.
You have piqued my curiosity. What principle are you basing this new
found means to predict before hand whether a message is abusive? Why
can't the use of the signing domain and opaque identifier play the same
role without changing the way mail is used?
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org