ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Email-address independent of signing-domain DKIM charter

2005-11-07 12:17:28
from [Douglas Otis] [Permanent Link] 

On Nov 7, 2005, at 4:27 AM, Scott Kitterman wrote:


On 11/06/2005 17:35, Douglas Otis wrote:

On Nov 5, 2005, at 9:16 PM, Dave Crocker wrote:

However, the best way to gauge this probably is for you to specify
the text that you propose to have changed in the charter.


While there appears to be some support for imposing a requirement
that From header always be associated with the transmitting domain,
there is a lack of appreciation that an open-ended authorization
becomes the target of abuse.  ...
If you change lack of appreciation to lack of agreeing with you that this is 
the end of the world, I suppose that's not to far off.
Attributing the signing-policy as referenced from the From domain is but one approach. It has an unfortunate side-effect. There are unfair reputation schemes that will use any authorization to accrue reputation based upon the email-domain rather than the signing-domain as desired and fair. The effect of this misapplication of reputation makes allowing third-party signers highly problematic. Of course not allowing third-party signers would cause message losses with respect to many services, such as list-servers. The eventual remedy would be to introduce double From email-addresses, where the author is now once again unverified, and will perhaps create a great deal of confusion and change to the MUAs and list-services attempting to deal with multiple From addresses. While it would not be the end of the world, it would be a mess and will create an unfair shifting of accountability. 




There is an alternative to that approach.  This alternative should
provide far greater abatement of abuse with a charter as follows:


snipped for brevity
I think this would be a really bad idea. I like the current draft charter a 
lot better.
A better review of how this opportunistic scheme could be implemented should offer several pragmatic justifications, as well as avoiding problematic open-ended policies (allowing third-party signatures.) In the end, the prevention of spoofs for critical domains would actually be more comprehensive and meaningful. 

-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Re: DKIM h= tag - Defauilt or required headers?, Michael Thomas
Next by Date:  Re: [ietf-dkim] Email-address independent of signing-domain DKIM charter, Scott Kitterman
Previous by Thread:  Re: [ietf-dkim] Email-address independent of signing-domain DKIMcharter, Hector Santos
Next by Thread:  Re: [ietf-dkim] Email-address independent of signing-domain DKIM charter, Scott Kitterman
Indexes:  [Date] [Thread] [Top] [All Lists]