On Aug 29, 2005, at 4:48 PM, Earl Hood wrote:
On August 29, 2005 at 13:00, Douglas Otis wrote:
I would rather see clearly defined goals rather than attractive
phrases that appear to promise everything. Attempts to define the
relationship of providers with mailbox-address will be highly
disruptive and should be avoided. To provide a uniform level of
protection, an opaque identifier should be added by the accountable
domain. This permits indirect methods to abate message replay abuse,
author forgery, and unauthorized access.
I'm unsure how effective the opaque ID will deal with replay abuse,
but it appears to still have value for other security concerns.
For example, by the time a replay is detected and the a revocation
records is added to DNS, the damage is probably already done.
I took the view of those running an abuse reporting service. Often
there is unintended abuse occurring that can be handled in a
reasonably short time frame. The expiry of the signature could be in
days where the response to abuse becomes far more difficult to track,
and also more profitable for the abuser. Being able to curtail abuse
within a reasonable time frame would occupy far less time for all
involved. In addition, the revocation mechanism itself can serve as
an immediate confirmation of problem resolution. There of course is
the other benefit found when correlating the source of abuse which
offers the domain administrator more concise information. The abuse
can be complied and would not need to be sorted for clues of where
the message originated from within the domain.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org