ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Re: The Value of Reputation

2006-01-03 16:37:04

On Jan 3, 2006, at 11:39 AM, Stephen Farrell wrote:
Douglas Otis wrote:
On Jan 2, 2006, at 11:16 PM, Frank Ellermann wrote:
Douglas Otis wrote:

dangerous open-ended policies as seen with SPF. (Very bad.)

Define "open-ended":

Aaaaargh! Please don't!

This was related to comments suggesting removal of SSP draft from the charter. What problem is created in providing a definition of terminology?


Why not read and comment on the threats draft instead? You'll feel much better, really.

I _did_ respond to the threat draft, but neither reading the threat draft, nor the lack of response by _anyone_ else to this draft does not raise a level of comfort. Please note the question raised with respect to section 3.2.2. "Identity-Related Fraud" has remained unanswered.

http://mipassoc.org/pipermail/ietf-dkim/2005q4/001571.html

SSP was introduced rather than produced out of open discussions. SSP goes well beyond establishing the base DKIM draft. The next steps should be to decide how DKIM can best be applied. SSP presupposes an email-address authorization scheme is needed, beneficial, and safe to either assert or display. As there has not been much consideration given for the secondary effects or the reconsideration of blatant assumptions, the statements in a threat review seem to have been made without any desire to defend the justifications used for the SSP mechanism. At least Frank is willing to discuss these related issues.

There are at least two factors at play that may be hindering this process. There is almost a rote method for dealing with email abuse which discerns tell-tale characteristics of abusive messages not prevented by a block-list. There is also the security community with an almost a rote method of combining identifiers with polices. When a hammer is your only tool, everything looks like a nail. The imagined solution is the application of an anonymous sender's policy applied to _some_ email-address found within the message. This overlooks a few serious problems. The anonymous sender can be a bad actor making their own policy. The good actors will find themselves constrained by the complexity created by restrictive policies for an email-addresses that lead to open-ended policies.

The bulk of abuse will be abated through the application of reputation in various forms. The identifiers used in this process must be relatively strong to ensure a fair system. The authorization strategy invites the use of an extremely weak identifier (perhaps seen as a tell-tale sign). There are no safe assurances possible as a result of the application of the SSP policy. : (

-Doug





_______________________________________________
ietf-dkim mailing list
http://dkim.org