On August 24, 2005 at 14:51, John Levine wrote:
I thought the primary role was to authenticate an identity.
Right. The identity of the accountable party.
Any "accountability" should be explicitly defined.
Good lord, no. The recipient might do anything from whitelist a domain to
blacklist it to filing suit under a local anti-spam law. It would be the
height of hubris and foolishness to try to dictate that.
Sorry, I did not mean that the exact policies and enforcement rules
of accountability should be defined, but what is meant by being an
"accountable identity".
IMHO, I think using the term "accountable identity" in a specification
that does not provide any indication of the type of accountability the
identity takes is not a good idea. A standard should not use terms
that are not clearly defined, and something like this will lead to
questions by those considering adoption on what the consequences of
being an "accountable identity" is.
When I see the term "accountable" all kinds of implications pop in my
head, including legal ones. For example, if I sign a message, could
I then be prosecuted if the message is involved in criminal activity?
To me, something like "authenticating the originating domain identity"
provides a clear indication of what is being identified without getting
into the murky area of "accountability". Applications built on top of
DKIM can deal with accountability frameworks, but DKIM should avoid
even mentioning it.
--ewh
_______________________________________________
ietf-dkim mailing list
http://dkim.org