ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Re: Domain Ownership

2005-11-25 19:28:07
On Fri, 2005-11-25 at 14:40 -0600, Arvel Hathcock wrote:
The only reason the so call "freedom" exist is simply because there  was 
no controls in place before, hence the major exploitation and  abuse of 
the domains.

You are describing current practices, permitting the operation of 
list-servers for example, as abusive.

Nope, he's not.

Sending messages where the From header field indicates the message's
author is not exploiting or abusing the domain of the author's email-
address.  Rules prohibiting one's ability to send such messages would be
highly disruptive.  A list server would be one example of the practices
disrupted by such a prohibition.  Multiple From email-addresses will
create confusion and new avenues for exploitation.

Abuse takes many forms.  Simplistic domain policies assume the use of
ASCII display terminals, as these policies are useless when other
character-sets or display modes are considered.  The mere association of
a From email-address with a signing-domain offers little protection, but
incurs a high cost.

With a multitude of socially engineered exploits that will remain
unaffected, the impact upon spoofing may be difficult to notice, once
abusers decide to adapt.  As these spoofing exploits continue, large
numbers of similar domains will need to be acquired.  This SSP approach
retreats to a point in time where there were but a few TLDs and just one
character-set.


Conversely though, you treat current practice as sacrosanct,
inscripturating it with an almost evangelical fervor.  There is much
about current practice that demands a reformation in my view.

Those administering the system and granting access should remain
accountable.  An authorization scheme like SSP opens the door for unfair
coercion, which shift the burden onto an often hapless email-address
domain owner.  At the mercy of message deletion, authorization will need
to be instantiated, and then, due to unfair reputation accrual, will
then demand a limitation in providers.  While this may seem ideal for
some providers, SSP breaks many things and reduces freedoms while
offering little of redeeming value.

SSP authorization is _not_ the only option that DKIM enables.  The
inclusion of binding-advice within the signature can instantiate
simplistic domain policies.  This would be possible without the use of
an authorization record that invites coercion and unfair accrual.  This
binding approach also enables a strategy where email authors can be
recognized by the system, and thus abate many of the socially engineered
exploits.  This can be done with less overhead and less administration
without breaking things. 

Things can be made better with DKIM.  However, SSP makes things worse.

-Doug

_______________________________________________
ietf-dkim mailing list
http://dkim.org

<Prev in Thread] Current Thread [Next in Thread>