On Oct 31, 2005, at 9:08 AM, Earl Hood wrote:
On October 31, 2005 at 12:41, Scott Kitterman wrote:
For some businesses (like the mybank example that has been raised),
such restrictions are desirable, and probably justifiable. But if
ISPs and other email service providers adopt EXCLUSIVE policies...
They will either explain the reasoning well enough that their
customers will
be willing to live with the restrictions or their business will go
elsewhere
(in the case of ISPs it may mean users cease using ISP provided
mail and find
their own 3rd party provider - even if a user can't immediately
switch to a
new ISP, it certainly lowers the perceived value of the product).
As I noted in a previous message, switching can be very costly
for many. A provider may realize that many users have an existing
vested investment in the provider's services, making any switch by
the users costly. Therefore, the provider can change their policies
knowing that many users will still stay with them, even if they are
not happy with changes.
I think all of us can think of real-world cases where such business
practices have been exercised.
BTW, I am not saying that such an event is inevitable. However,
it is a risk to current email operations if DKIM (as it is currently
defined) is widely deployed.
Generalized protection based upon the coupling of an opaque-
identifier and the signing-domain as a pseudo-certificate will offer
superior protection for phished domains without the need for any
policy assertions attempting to rigidly bind the signature to some
email-address. Such an approach using an opaque-identifier would be
better able to detect "pretty-name" and "look-alike" attacks.
Creating a rigid binding between an email-address and a DKIM
signature are corrosive to the freedoms currently enjoyed. People
are free to use mailing-lists and send from various providers. As
long as the administrators of these services are diligent about
removing abusive accounts, there is no reason to consider these
services are abusive.
Rigidly binding the DKIM signature to an email-address, either by
policy assertions or convention, will cause these freedoms to be
lost. It will not be a matter of choice. Once this rigid
association is used as a means to exclude messages, all email domain
owners will be coerced by such a scheme into asserting the rigid
binding as their only defense against being unfairly accused of
permitting abuse.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org