On Jan 20, 2006, at 6:56 AM, John Levine wrote:
That's not really where I was going. What I more envision is that
a mailing list will have its own reputation that will match the
LCD of the list, just as you say, but that the way to protect
against that is for lists to be at least a little picky about who
they allow on.
Yes, exactly.
Hey, wait a minute -- isn't that what lists already do?
The discussion was whether the DKIM signature itself can serve as a
basis for acceptance. In other words, can a DKIM signature safely
accrue a reputation? Unlike the client IP address currently used to
assess list-servers, the DKIM signature can be replayed and sent to
recipients that were never intended by the list-server. If the DKIM
is to ever serve as a basis for acceptance, there must be a means to
defend against the replay problem. Don't assume this will be someone
else's problem.
A best practice where all DKIM recipients immediately overlay
incoming signature with a signature assigned the role of MDA by the
MDA that would not be accepted by any other MDA would ensure messages
available for replay could be contained. There could be a new list
created called dkim-abuse-list (DAL). The sender could use this list
to either disable signing when destine for a location known to have a
replay problem, or simply not send the message. This strategy
should convince recipients to ensure the safety of the incoming
signatures, or they could become listed. Over time, the number of
domains on the DAL should represent roughly the dynamics seen on
other types of blocking-list.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org