ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Not exactly not a threat analysis

2005-08-23 09:26:08
On Tue, 23 Aug 2005, Keith Moore wrote:

If you put signing domains in the position of accepting responsibility for any
type of abuse, you do several things.  One is that you make it more difficult
for domains to justify signing messages.  And because "abuse" is subjective
(one recipient's spam is another recipient's useful ad), you end up both
legitimizing some amount of abuse and marginalizing useful and valid behavior.

I don't think your conclusion is correct. The current situation is that IP
addresses are used to identify accountable entities in email, and there's
no formal classification of IP addresses into email servers or end-user
systems or whatever. Recipient sites can choose from a wide range of
blacklists which implement various policies according to how strict they
want to be along various dimensions. I don't see any clear signs of the
convergence to mediocrity that you are concerned about, except to the
extent that we can't accurately identify an accountable entity (e.g. it's
an ISP's relay so we can't identify which customer it is) or heavy-handed
use of dial-up lists (though zombie identification is replacing that
technique).

However I'm not arguing against some kind of signer-role tag in the
signature. This could be a useful nuance, because (for example) the
signatures on messages from my submission servers will be much stronger
than those from my outgoing relays, because in the former case we are able
to enforce proper authentication and identification of the submitter in
the message.

Tony.
-- 
f.a.n.finch  <dot(_at_)dotat(_dot_)at>  http://dotat.at/
BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. SHOWERS AT FIRST. MODERATE OR
GOOD.
_______________________________________________
ietf-dkim mailing list
http://dkim.org