ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ietf-dkim] accountability, resenders, and replay

2005-08-26 11:10:26
from [Tony Finch] [Permanent Link] 
On Tue, 23 Aug 2005, Keith Moore wrote:


What standard should a domain require before "authorizing" a message?
That it's suitable for any recipient who might somehow find it in his
mailbox?  (I doubt it)


What I mean by "accountable" is that one would expect that the domain has
a reasonable anti-spam policy which they actually follow. There's a lot of
blurriness in "reasonable": for example, opt-out mailing lists are legal
in the USA but not the EU. But in general it means that they should
respond meaningfully to complaints, e.g. removing recipients from mailing
lists or cancelling rogue senders' accounts. It does not mean that they
will get blacklisted at the drop of a hat, as some people on this list
seem to fear.


When evaluating a signature, I think the recipient generally cares about one
of two things: who wrote the message and who sent the message to his mailbox.
The first tells him whether the message is authentic; the second tells him who
to blame for sending him a message that he didn't want to receive.  In the
second case, I don't think it matters too much whether the signer is a mailing
list or some other kind of resender - except that in the case of a mailing
list it might not be feasible for the list to sign "I sent this message to X"
for each recipient X.


Perhaps we need to be clear about on whose behalf an intermediary is
acting, because it then becomes more obvious who can be meaningfully held
accountable and therefore who would reasonably be expected to sign the
message.

on behalf of the sender:
        submission servers
        list expanders operated for the sender
These have meaningful accountability (close control over who can submit
messages) so would be expected to sign their messages.

on behalf of the recipient:
        incoming border MTAs
        forwarding services
These do not have much control over what messages they may be offered
(though there's a quality-of-implementation issue w.r.t. their anti-spam
efforts). They might not be expected to sign.

on behalf of both:
        mailing lists
Meaningful accountability, assuming the mailing list has subscriber-only
posting so that it can plausibly exercise control over the behaviour of
list members. Less strict lists need more analysis :-)

Tony.
-- 
f.a.n.finch  <dot(_at_)dotat(_dot_)at>  http://dotat.at/
BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. SHOWERS AT FIRST. MODERATE OR
GOOD.
_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Not exactly not a threat analysis, Florian Weimer
Next by Date:  [ietf-dkim] Thoughts on the DNS RR issue, Hallam-Baker, Phillip
Previous by Thread:  Re: [ietf-dkim] Not exactly not a threat analysis, Jim Fenton
Next by Thread:  [ietf-dkim] Re: accountability, resenders, and replay, Jim Fenton
Indexes:  [Date] [Thread] [Top] [All Lists]