Douglas Otis wrote:
[...] Any "open" policy exposes the email-address domain
owner to unjustified complaint traffic.
No more than could happen today. I don't see any reason why
complaints will rise that couldn't happen right now.
The mechanism directs complaints to the email-address domain
owner, rather than the signing-domain. Unfortunately, a
published "open" policy will attract more abuse.
IBTD strongly. First thing, it's nice to have this new term
"open-ended". In the context of SPF it's "any policy with a
_potential_ result NEUTRAL". In the context of SSP it's "any
policy _allowing_ unsigned mails".
SPF has it clear that NEUTRAL results MUST (2119) be treated
like NONE. Of course receivers are free to do whatever they
like not limited to "treat NEUTRAL like FAIL if it's for @AOL"
Utter dubious idea, it violates a MUST. I'm too lazy to check
it now, but it would be trivial to add a similar MUST to SSP.
Further, just because a policy is "open-ended" doesn't mean
that all results are inconclusive, a PASS is still a PASS, a
FAIL is still a FAIL, and a valid signature is still a valid
signature.
If there's no signature, or an invalid signature, then it just
makes no sense to send complaints to the domain owner. It's
also pointless to bother the "signing-domain" without a valid
signature. Receivers could try to figure out where on their
side something destroyed the signature, that's their problem.
Like receivers should make sure where they test SPF FAIL, if
they don't do it ar their border MTA it generally won't work.
That leaves us with one interesting case, "open-ended" signing
policy without related signature, but a PASS for a third party
signature. In that case complaints should be of course sent
to the signing-domain, not to the signing policy domain owner
(or to the From address, maybe replacing the LHS by abuse@).
I don't see any specific threat here related to "open-ended"
or "closed" policies. No signature is like NEUTRAL, receivers
can't do much with it (except from screwing-up), it's a polite
form of saying "thanks for supporting DKIM or SPF resp., but
for this mail you wasted your time".
Finally, why should bad actors intentionally try to abuse
addresses with "open-ended" policies ? IMO that's a stupid
plan, receivers used to get "SPF PASS" or "DKIM valid" or what
else would of course look twice if they suddenly get only a
NEUTRAL or no signature or a broken signature.
I don't think there is any question that a closed policy will
prevent the use of most list servers, for example. Posting
to a list is a common use.
Nothing forces domain owners to publish closed policies, we've
already discussed this. The WG charter says that the WG will
consider mailing lists, and that's a topic for the SSP draft.
And also for the base draft wrt invalidated signatures. But
IMO not for the threats draft. Unrelated, there are now some
IETF pages for the WG: <http://tools.ietf.org/wg/dkim> Bye
_______________________________________________
ietf-dkim mailing list
http://dkim.org