On 10/29/2005 01:29 pm, Earl Hood wrote:
...
Problem B2 also raises another potential problem, something I believe
Doug has been trying to point out. With DKIM policy controled by the
domain owner, and not the mailbox users, a mailbox user may be held
"hostage" by the domain owner on how the mailbox user can use their
account.
As Frank might say, that's a feature, not a bug.
The domain owner is the entity that should be setting policy for how the name
can be used.
Retrofit of a new policy with current users is a tricky thing. It's
certainly, I think, the domain owner's right to set the policy, but they
obviously need to inform users as to what the policy is, why there is a new
policy, what the effects are, and what they can do about it.
E-mail addresses are easy enough to come by that I don't think anyone should
be considered (in the long run) locked into an e-mail address. If a domain
owner institutes a restrictive policy that a user finds problematic, they
should go elsewhere. The market will prevent domain owners from being overly
restrictive.
For example, if the domain owner specifies an exclusive non-3rd-party
signing policy, someone like Alice would be prevented from using
services like E-cards or any other legitimate masquarading functions.
The domain owner may care less of such uses since it deems exclusive
non-3rd-party signing critical to "protect" its domain.
Yes, feature, not bug.
A side example, I always send out mail via my ISP with originating
addresses completely different from my ISP account. My ISP has no
problem with this since it can utilize my IP address to determine
if I am a customer. However, if my ISP enables DKIM signing, I may
be screwed, along with other users that utilize a permanent OA in
their email. My ISP could force me to either use the email address
they have given me for their domain (which I do not want to use) or be
forced to always submit my mail through systems hosting my OA domain
(whose reliability may not be as good as my ISP).
Your ISP could limit you to only using your ISP provided e-mail address at any
time. I don't know that DKIM significantly increases the risk of that.
Unless the domain that you do use has a restrictive policy, I don't see the
problem.
Since you would appear to own your own domain, I imagine this is entirely
within your span of control.
There may also be an emerging market for DKIM friendly ESPs that will sign
your mail for you using your key. Once again, if there are problems here, I
think the market will fix it.
Scott K
_______________________________________________
ietf-dkim mailing list
http://dkim.org