On Jan 13, 2006, at 3:23 PM, Stephen Farrell wrote:
[...] Any "open" policy exposes the email-address domain owner to
unjustified complaint traffic.
No more than could happen today. I don't see any reason why
complaints will rise that couldn't happen right now.
The mechanism directs complaints to the email-address domain owner,
rather than the signing-domain. Unfortunately, a published "open"
policy will attract more abuse.
However, "closed" policies also disrupt common email practices,
and therefore are not suitable for general use.
Probably not. But as I understand it, those are designed for
special (and not general) cases.
I don't think there is any question that a closed policy will prevent
the use of most list servers, for example. Posting to a list is a
common use.
A large domain has an advantage that a smaller domain does not.[...]
I don't see how we can design a protocol to level that playing field.
The concern is not about leveling the playing field, but rather not
giving the large domain a powerful club with which to beat the heck
out of smaller domains. This requires avoiding any reason or excuse
for an open policy to be published.
... This problem in general also runs afoul of a desire to not
force the publication of "open" policies creating a paradox.
I don't see any paradox unless you want one domain with both an
open and a closed policy.
For example, a second level domain "co.jp" publishes the 'o=.'
policy. This would mean all sub-domains must then also publish a
policy or forgo expectations of having their email accepted. The
second level domain may have been motivated into publishing a policy
in order to squelch a high level of traffic, as no-records are not
cached very long and each and every message instigates a new lookup.
A mechanism to indicate the SSP record does not apply to sub-domains
would ensure the search could end, but would then not be applied to
the sub-domains. A separate mechanism not part of the 'o=' could be
used, such as 'i=y' or 'i=n' for sub-domains inherit policy (yes/
[no]). The paradox occurs when co.jp wishes to use email normally.
Their record could be "i=n" (nothing more).
On Jan 12, 2006, at 6:17 AM, Stephen Farrell wrote:
"Policies can be open or closed. Open policies define a set of
conformant messages and are silent about other messages. Closed
policies define the set of conformant messages and other messages
do not conform to the policy.
Policy is not checked when the email/signing domains match.
Policy is therefore silent when email/signing domains match. When
email/signing domains do not match, SSP indicates whether unsigned
or foreign signed messages are acceptable. With respect to open
policies, _all_ such messages are conformant and acceptable.
Nope. You're confusing the sender's policy statement with what the
verifier considers acceptable, which is out of scope.
I understand your position. A policy that says "signs some" also
says "some legitimate messages are not signed or are signed by
others." Language is important when attempting to convey concepts.
When the signing/email domains don't match and "some legitimate
messages are not signed or are signed by others" policy is
discovered, how does this relate to what what messages are
conformant? Clearly not being signed could be an indication of
conforming to the statement.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org