On Nov 14, 2005, at 5:24 PM, Dave Crocker wrote:
It would seem consensus may have been reach by those convinced
that since many abusive messages spoof the email-address, limiting
the use of an email-address therefore prevents abusive messages.
3. If you aren't, then how is your lengthy note usefully responsive
to Jim's point?
There is a larger community affected by these changes. Inclusion of
the DKIM signature alone _greatly_ enhances an ability to defend
against abusive messages. Several have expressed almost zealous
motivations for also constraining the use of email-addresses. The
charter should take a long view and be sensitive to disruptions
created by email-address constraints, rather than offering
justifications. Never should these email-address constraints be seen
as a method to abate spam as currently implied by the charter. : (
Motivations for email-address constraints should be tempered by a
realization that:
1. Email-address constraints can be readily circumvented by Bad Actors.
MUA displays are not secure allowing:
a. acquisition of look-alike domains with various character-sets
b. reliance upon "pretty name" displays with new/used domains
c. positional obfuscation within headers
2. Email-address constraints will disrupt email services.
a. ISPs will require/inject multiple From addresses
b. Third-party services will need to inject multiple From addresses
c. RFC2822 precedence will be modified
d. MUAs will not function as expected
3. Email-address constraints will expose users to greater abuse.
a. posting multiple From addresses increases spam burdens
b. limiting email-addresses to the provider reduces privacy
c. local-parts in DNS may invite unabated dictionary attack
4. Once MUAs are DKIM aware, there will be _no_ benefit in email-
address constraints.
MUA would be able to:
a. track email-address/signing-domains
b. display the signing-domain
c. indicate when the email-address is assured by the signing-domain
Does it make sense to get the DKIM signature in place before deciding
what else must be included? Does the WG really need to promote
dubious email-address constraints? Targeted sites will benefit
substantially when link related information is compared against the
DKIM signature. Comparison of the From address offers at most a
modicum of protection which will be in place anyway in response to
the attacks. The signature itself offers a touchstone for users to
check the validity of the message by exposing the headers with older
MUAs.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org