Re: [ietf-dkim] DKIM charter
2005-11-14 18:23:06
On Nov 14, 2005, at 4:04 PM, Jim Fenton wrote:
At this stage of the game, with substantial consensus on the
current wording, I think we should be making only small, surgical
changes than complete changes in wording.
It would seem consensus may have been reach by those convinced that
since many abusive messages spoof the email-address, limiting the use
of an email-address therefore prevents abusive messages.
Unfortunately, abusers will be among the first to meet _any_ new
email-address criteria, while the rest of us wonder why our email was
deleted or rejected. To protect transactional email, more than just
From header matching is required. To combat "pretty-name" and look-
alike exploits of transactional email, message content will need
examination. This goes far astray from the basic benefits of DKIM
verifying the accountable domain. Here S/MIME or OpenPGP seem more
appropriate solutions.
The ability for the message to be signed by a different domain is
covered by the wording in the first paragraph, "...that allow a
domain to take responsibility, using digital signatures, for having
taken part in the transmission of an email message..."
This paragraph exposes a significant bias in the second sentence by
saying "While there are _sometimes_ legitimate reasons for doing
this..." Either the working group strives to generally protect the
independent use of an email-address, or there will be significant
change to the way the email is used. Will people be required to
include multiple email-addresses in the From header to have their
messages accepted? Will this requirement expose users to greater
abuse and reduced privacy? With this new regime with multiple email-
addresses, the purported author is still not being checked, and is
unlikely to see the reply.
Consensus should consider how this affects the broader population.
There will _never_ be a deterministic method that will detect an
abusive email. Having just the DKIM signature will make spoofing
emails far more difficult and will significantly reduce false
positives. Abatement of abuse does not require restrictions on the
From address. The DKIM signature is far more significant than any
other mechanism being considered. The benefit of mandating email-
address/signing-domain requirements out-of-band are being over
stated, when compared to what can be done within just the DKIM
signature.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- [ietf-dkim] Re: DKIM charter, (continued)
- Re: [ietf-dkim] DKIM charter, Scott Kitterman
- Re: [ietf-dkim] DKIM charter, Jim Fenton
- Re: [ietf-dkim] DKIM charter, Douglas Otis
- Re: [ietf-dkim] DKIM charter, Scott Kitterman
- Re: [ietf-dkim] DKIM charter, Jim Fenton
- Re: [ietf-dkim] DKIM charter,
Douglas Otis <=
- Re: [ietf-dkim] DKIM charter, Dave Crocker
- Re: [ietf-dkim] DKIM charter, Douglas Otis
- Re: [ietf-dkim] DKIM charter, Hector Santos
- Re: [ietf-dkim] DKIM charter, Barry Leiba
- Re: [ietf-dkim] DKIM charter, Dave Crocker
- Re: [ietf-dkim] DKIM charter, Hector Santos
- Re: [ietf-dkim] DKIM charter, Stephen Farrell
- Re: [ietf-dkim] DKIM charter, Jim Fenton
- Re: [ietf-dkim] DKIM charter, Eric Rescorla
- Re: [ietf-dkim] DKIM charter, Dave Crocker
|
|
|