On Nov 1, 2005, at 7:46 PM, John Levine wrote:
Absent SSP (or something like it), then in the broad sense of the
word, DKIM does need some kind of reputation system to be effective.
That depends what problem you're trying to solve, since there are some
that only involve validating that the sending address is real without
caring if the sender is nice or nasty.
DKIM is operating at the message transport system. Is it reasonable
to assert that an email-address authorization scheme for "third-
party" signatures is a good solution for this problem? No. Other
mechanisms analogous to S/MIME or OpenPGP independent of the message
transport system would provide a fairer and easier to manage solution.
The problem is mail address forgery, we all agree that DKIM is a
reasonable way to address it, and for the purposes of the WG there is
no need to get into what other higher order problems might or might
not be solved thereby.
While there is a problem related to email-address forgery, a complex
authorization scheme does not offer a good solution. Nor do I think
this approach will mitigate the problems represented by these
forgeries. In other words, the same bad acts will continue
unabated. Odd that you would use a list-server as an example, when
it is this type of service that will be negatively impacted.
DKIM offers little of value without reputation applied. Once this is
understood, then protecting reputation is a dynamic that must not be
ignored.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org