On Nov 22, 2005, at 4:25 PM, Hector Santos wrote:
How about the rights of the server? of the domain owner?
The signing-domain would be that of the administrative-unit
introducing the message. Why is that not an adequate basis for
acceptance?
What's a "Administrative Unit?"
It is used in the draft, although Dave does not like the term either.
2. Email Actor Roles
http://www.ietf.org/internet-drafts/draft-crocker-email-arch-04.txt
What about the rights of the server, domain, the owner of the email
domains being exploited?
Requiring an email-address owner to "authorize" who may sign their
messages exposes them to the risks of the authorization itself. The
authorization may be used to unfairly accrue behavior due to the
"junk" they inadvertently authorize. This should sound familiar, as
it is a scheme already in place. The email-address owner may quickly
lose their right to have their messages accepted when authorizing
third-party signers. This breaks current email practices and thus
should win broader consensus before moving forward. Considering that
SSP is a futile effort and that there are better methods to avoid
spoofing, why should it?
For example, when this list implements a DKIM signature without other
changes, then third-party signatures will need to be permitted. Why
is the signature of the list-server alone not an adequate basis for
acceptance? Email-addresses should not be held accountable unless S/
MIME or OpenPGP provides an expectation that the email-address owner
and the signer are one in the same.
Consider a scheme where a prior correspondent is highlighted as the
means to avoid spoofs of all sorts (including look-alikes). Just the
existence of a DKIM signature would greatly improve filter heuristics
without the authorization scheme. Deterministic criteria can be
asserted without an authorization record, by the way. When only
'o=!' records exist, the overhead will be fairly high, especially for
the spam that uses a series of wildcard labels in their addresses to
avoid filters.
Do you think that a worm will not adapt and avoid "deterministic"
constraints?
But even if it did, it would be a lot better than your ""Take The
First Strike" ideas where there is no incentive for adaptation.
If they have adapted and comply with your "deterministic"
requirements, how have you avoided the "Blitz" attack or any other
strategy? Why not depend upon the signing-domain as a basis for
acceptance? This would anticipate network exploits as well as
meeting your deterministic criteria. This puts you two moves ahead.
As a child, you may have enjoyed the game of tic-tac-toe. Once you
better understood the game, you simply decide not to play. When an
opponent also knows the game, you become aware there is no point.
I hope you realize the nonsense point you are trying to make also
applies to
both players. Once the bad actor knows there is no way to win, he
will stop
trying just as well.
When your deterministic criteria can be met by the abuser, you have
failed to win. They win when you don't. This is an expensive game
when thousands of applications must be rewritten for a no-win scenario.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org