On Mon, 7 Nov 2005 19:01:40 -0800 Douglas Otis
<dotis(_at_)mail-abuse(_dot_)org>
wrote:
DKIM without SSP provides an ability for Name-based white-listing of
transports. Name-based white-listing/reputation would not be prone
to IP address exploits. Filtering programs would have a verifiable
source for a message to permit a significant reduction in related
errors. If there was abuse, there would be a verified name for
addressing complaints. Why would that be useless for you?
For reputation systems, I've little interest. I'm a very small business
and so the type of large scale systems you've described as being necessary
for rapid/effective reputation are out of reach. Honestly Spamassassin
does well enough for me and it's not clear segregating reputation into a
separate set of heuristics will produce a more reliable end result. So,
in
short I doubt more heuristics will make things better and I can't afford
them anyway.
A verified signer for the message could improve the results of filtering
applications like Spamassassin. As this is your primary mechanism,
improving these applications would benefit you significantly. A general
requirement that From matches the signer will not be reduce the amount of
spam, as spammers adapt.
What major benefit do you expect?
I assume DKIM is going to happen one way or another. So, SSP would
provide
a deterministic way for mail receivers to reject certain messages. This
will help me defend the reputation of my domains. It will also perhaps
provide some reduction in the risk that my domains' users will get phished
(none of them use an MUA that only displays the pretty name).
Mandating From be tied to the signer will be highly problematic for most.
Domains seeing significant spoofing may accept this restriction. Without
restricting the From to the signer as a general practice, then your
assumptions would be wrong. For example, I would assume you want your
messages seen coming from a list-server.
Ensuring the signer is able to control abuse of the signature does not
detract from the benefits that you would enjoy, but it does allow the use
of a name-based reputation. The self-revocation mechanism that has been
suggested would also benefit those that do not use a reputation service.
These self revocations would be driven by reputation feedback. This would
be a way to share the benefits of reputation. : )
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org