|
Re: [ietf-dkim] SSP acceptance chart
2005-11-02 16:27:34
On Nov 2, 2005, at 11:50 AM, Hector Santos wrote:
I doubt that an email service, who values customer service and PR
as much as the next service, will not disclose a TOS or inform
users the change in policies.
Terms of service are irrelevant. Who is held accountable with
respect to reputation? SSP authorization invites the email-address
domain owner to be held accountable via MUA/MDA extensions. While
some providers see this as a major benefit, the only defensive
strategy permitted by this scheme is to prohibit all third-party
signatures.
This removes independent use of email-addresses and list-servers, for
example. As a general principle, the entity introducing messages is
held accountable as a means to abate abusive traffic. SMTP can not
endure accepting all messages to then apply SSP policies on entities
unrelated to the introduction of the message. The added DKIM
verification process will only make this principle more critical,
especially with multiple signature stacks.
In fact, with immediate SSP notification, it will provide legally
friendly satisfication of user expectations.
When DSN are often dropped, a query for an optional 'r=' parameter in
an SSP record may be checked, but unlikely once the email-address
obtains a bad reputation. While there may be some feedback resulting
from this mechanism, there are few remedies available for the email-
address domain owner. One would expect the signing-domain granting
access to the abuser should be contacted instead. Stopping abuse at
the source then permits the added security of DKIM.
There might be risk for the email server who do not perform an SSP
only which might cause user mail to be later rejected or worst lost.
I think you are saying that providers should check whether the email-
address has authorized their domain before sending? If not, the
message may be deleted.
I remain unconvinced that most, if not, significant majority, Email
Services, especially commercial ones, will not be interested in
protecting their service from unrestricted domain abuse.
This is indeed a common refrain. Until MUAs are modified, DKIM
offers no such protection however. When MUAs are modified, the
signing-domain should be made visible in some manner. This could by
done when an initial message is received, where the user is asked to
approve these identifiers. Anytime an identifier appears to have
changed, or another message looks like a message with retained
identifiers, they should be alerted. In that case, there would no
need for an SSP scheme. None! This could be enhanced by offering
recommendations contained directly within the signature on the scope
of identifier needed to isolate the author.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: [ietf-dkim] DKIM proposed charter tweak, (continued)
Re: [ietf-dkim] DKIM proposed charter tweak, Dave Crocker
Re: [ietf-dkim] DKIM proposed charter tweak, Hector Santos
- Re: [ietf-dkim] SSP acceptance chart, Douglas Otis
- Re: [ietf-dkim] SSP acceptance chart, Scott Kitterman
- Re: [ietf-dkim] SSP acceptance chart, Douglas Otis
- Re: [ietf-dkim] SSP acceptance chart, Scott Kitterman
- Re: [ietf-dkim] SSP acceptance chart, Hector Santos
- Re: [ietf-dkim] SSP acceptance chart,
Douglas Otis <=
- Re: [ietf-dkim] SSP acceptance chart, Hector Santos
- Re: [ietf-dkim] SSP acceptance chart, Douglas Otis
- Re: [ietf-dkim] SSP acceptance chart, Hector Santos
- Re: [ietf-dkim] SSP acceptance chart, Douglas Otis
- Re: [ietf-dkim] SSP acceptance chart, Dave Crocker
- Re: [ietf-dkim] SSP acceptance chart, Stephen Farrell
- Re: [ietf-dkim] SSP acceptance chart, Douglas Otis
- Re: [ietf-dkim] SSP acceptance chart, Douglas Otis
Re: [ietf-dkim] SSP acceptance chart, Hector Santos
Re: [ietf-dkim] SSP acceptance chart, Douglas Otis
|
|
|