ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] draft-fenton-dkim-threats-00

2005-10-13 13:46:19
----- Original Message -----
From: "Earl Hood" <earl(_at_)earlhood(_dot_)com>
To: "Arvel Hathcock" <arvel(_at_)altn(_dot_)com>

In order to provide a better assement on the value of a DKIM domain
identity, it would help to know the role it played in the transmission
of a message.  For example, an originating domain signature may have
a different weighting by recipients from a forwarding domain signature
when determining if the message is acceptable.

Of course, this also feeds into potential reputation systems, but
some domains may be put under higher scrutiny based upon the role
they played.


Well said.

I don't see how DKIM can proceed without working out this extremely
fundamental aspect of the inherent email problem - inconsistent
transactions.

If SMTP was written up on day one where the HELO and MAIL FROM had to be
validated or "consistent," we would not the huge problem today (atleast a
huge issue of bad or spoofed domains).

Bad Actors Exist because they KNOW there exist a market of NON-VERIFYING
systems.  This is what we need to wean out of the system.

IMO, we are going down the same path with DKIM.  Verifiers and Signers must
validate the "intent" of the SSP otherwise there isn't going to be any kind
of 'reliable' policy assertions that can be made.

When I sign a message, "confidence" is provided when I know that the
downlinks are required to do their job of Double Checking the integrity and
identity of the message.   It is the same level of confidence I have today
in designing mail products for a heterogeneous network: there is a standard
behavior expected for transactions.

If we leave it open that DKIM verifiers/signers do not have to check SSP,
then we have no confidence in the downlinks.

We are back to square one.

If we think we can address this in "version 2" then we promoting backward
compatibility issues.  Version 1, you don't have to check the SSP.  Version
2, you have to check the SSP.  Well, Bad Actors will stick with Version 1.

I'm from the mold of "Getting it right, the first time."   We should "Get It
Right", in version 1.

Sincerely,

Hector Santos, CTO
Santronics Software, Inc.
http://www.santronics.com
305-431-2846 Cell
305-248-3204 Office


_______________________________________________
ietf-dkim mailing list
http://dkim.org