Doug,
Douglas Otis wrote:
,---
| 2.3.2. Within Claimed Originator's Administrative Unit
|
| ... Since the submission of
| messages in this area generally occurs prior to the application of a
| message signature, DKIM is not directly effective against these bad
| actors. Defense against these bad actors is dependent upon other
| means, such as proper use of firewalls, and mail submission agents
| that are configured to authenticate the sender.
'---
While currently DKIM does not offer a standardized means to both track
and immediately revoke abuse emanating from the originating domain,
abuse of this nature represents a substantial portion of the abuse
problem. The dkim-options draft illustrates mechanisms comprised of
persistent Opaque-IDs and revocation records. By using a persistent
O-ID, the AdmD source of abuse can be tracked and readily reported by
third-parties. Resolution of the abuse is also made apparent by use of
the revocation record. This scheme neither exposes or depends upon an
email-address.
http://www.ietf.org/internet-drafts/draft-otis-dkim-options-00.txt
Should be:
: Although the submission of messages may be prior to the application
: of a message signature, submissions are commonly authenticated
: internally within the AdmD by mail submission agents. By including
: a persistent identifier within the signature, a substantial source
: for email abuse can be abated with the use of DKIM. The identifier
: itself can be block-listed by the sending domain immediately
: without requiring the expiry of a key TTL. Defense against bad
: actors is also improved with the proper use of firewalls and OS
: maintenance.
That text is a somewhat overblown IMO and has some errors.
- "within the signature" - unless you're planning to advocate we
use a signature scheme with message recovery I expect you mean "with
the signature".
- As I pointed out previously, your O-ID is basically a message-set
revocation scheme (which may be a valid approach, but its nothing
really new sharing most characteristics with CRLs)
- I've no idea how you'd justify "substantial"
- "immediately" is pure sales-talk, every revocation scheme involves
inherent delays
- presumably you meant to say "black listed"
I expect if you were willing to rephrase along those lines you might
end up with something more people would buy into, or maybe not, but
I'm pretty sure the more sales-talk, the less likely something is to
get agreed.
Lastly, just to note in passing that even if the threats draft were
to say "using such-and-such might be a potentially useful counter
measure" that does not mean that the WG will arrive at consensus
to actually include mechanism that in the protocol - that latter
being a discussion for another day.
Regards,
Stephen.
_______________________________________________
ietf-dkim mailing list
http://dkim.org