----- Original Message -----
From: "Douglas Otis" <dotis(_at_)mail-abuse(_dot_)org>
To: <arvel(_dot_)hathcock(_at_)altn(_dot_)com>
Subject: Re: [ietf-dkim] SSP security relies upon the visual domain
appearance
On Tue, 2005-11-22 at 22:56 -0600, Arvel Hathcock wrote:
Doug, I'm not convinced there is such a thing as an "email-address
owner" to which you often refer. I don't think I know any
"email-address owners". I know plenty of "domain owners"
though. .....
By email-address owner I was attempting to draw a distinction between
the domain owner running the email server from the domain owner
establishing email-addresses. The email-address owner often employs the
services of the domain owner running the email server. For DKIM, this
distinction could be seen by a different domain signing the message from
the domain of the email-address. It could be said each own their
domain. Perhaps I should keep saying email-address domain owner.
The user does not own the email address domain and the email address domain
owner has full rights over its usage. Always has and always will. The only
reason the so call "freedom" exist is simply because there was no controls
in place before, hence the major exploitation and abuse of the domains.
You are trying to remove all rights to control the domain owner's property
and you really haven't consider the idea the email service may not want to
get involved in allowing blatant fraudulent usage of restricted domains.
You are making an incorrect assumption that services will want this FREEDOM
without any sort of verification.
Even then, DKIM/SSP allows for 3rd party signing, if this what the email
service wants to offer.
I took a quick survey of my customers a few weeks ago and BY FAR, all of
them wanted control of the usage of their domains by their users. They want
the flexibility on a security group profile (domain) basis. Some want to
allow the freedom for some domains, for other domains they do not.
Not every ISP service is a PUBLIC service bureau Doug. A good example, off
hand, is ISP for car dealerships, each with a domain reflecting the car
dealership. They don't want spam just like the next guy and they don't want
these "high-value" domains exploited externally.
Your solution KEEPS the doors open to status quo exploits across the board.
Your solution would prevent the controls of restrictive domains across the
board. The core signature is NOT enough, with or without OPID. A SSP is
essential to obtain optimal benefits.
Just consider even if you had a OPID concept. You would still need a
deterministic control to validate its usage. What if its was wrong? What
if it doesn't make sense? What if it isn't OPID ready? Which policy do you
honor? Which do you not honor? Are you still going to pass the BAD
transactions to the user? At what point does it become automatic rejection
or acceptance? It really doesn't matter what idea you have. You gotta have
some level of logic to make this hard rules. You MUST have some level of
dissemination to separate the good from the bad, to eliminate the obvious.
You must have technical protocol consistency.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
_______________________________________________
ietf-dkim mailing list
http://dkim.org