On Mon, 7 Nov 2005 19:01:40 -0800 Douglas Otis
<dotis(_at_)mail-abuse(_dot_)org> wrote:
On Nov 7, 2005, at 6:24 PM, Scott Kitterman wrote:
On 11/07/2005 20:37, Douglas Otis wrote:
DKIM without SSP can be better than with SSP. Take out the SSP
approach, and there should be fewer concerns with respect to
potential impact, while there would not be any benefit lost. If
anything there would be greater benefits as this approach offers more
information without incurring additional overhead.
I've no doubt that DKIM without SSP would be better for providers
of large
scale commercial reputation services. It would be pretty useless
for me.
DKIM without SSP provides an ability for Name-based white-listing of
transports. Name-based white-listing/reputation would not be prone
to IP address exploits. Filtering programs would have a verifiable
source for a message to permit a significant reduction in related
errors. If there was abuse, there would be a verified name for
addressing complaints. Why would that be useless for you?
It's not so much that it would be useless, just not worth the trouble. For
the mail my domains send/receive there are other more widely deployed
technologies (doesn't really matter what, debating their merits is off
topic for this list) that give me a decent name basis for whitelisting.
It's not a hole in my arsenal that I have a serious need to fill (others
will be in different situations, I know).
For reputation systems, I've little interest. I'm a very small business
and so the type of large scale systems you've described as being necessary
for rapid/effective reputation are out of reach. Honestly Spamassassin
does well enough for me and it's not clear segregating reputation into a
separate set of heuristics will produce a more reliable end result. So, in
short I doubt more heuristics will make things better and I can't afford
them anyway.
What major benefit do you expect?
I assume DKIM is going to happen one way or another. So, SSP would provide
a deterministic way for mail receivers to reject certain messages. This
will help me defend the reputation of my domains. It will also perhaps
provide some reduction in the risk that my domains' users will get phished
(none of them use an MUA that only displays the pretty name).
In other words, what companies like yours intend to sell, I'm not buying.
BTW, if you do succeed and kill SSP, I'm still not buying. I just go and
work on another solution. The way I read the message from E-bay that was
recently sent to the list, SSP is what they're looking for too.
This isn't to say I think SSP is done. I dont't. That's part of the work
of the working group.
Scott K
_______________________________________________
ietf-dkim mailing list
http://dkim.org