ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] r= for instilling good domain-name practices

2006-04-28 18:55:01

On Apr 28, 2006, at 5:45 PM, J.D. Falk wrote:

On 2006-04-28 10:10, Douglas Otis wrote:

: The r= parameter is defined by the signer as a simple number
: of 0-9, where 0 is the default offering the lowest reliance
: level.  To ensure control in the case of MUA signing, this r=
: parameter in the signature MUST always be less than or equal
: to the key r= level.  If there are no r= parameters found in
: the key, the highest r= parameter allowed in the signature
: would be r=0.  An instance where the key r= parameter is less
: than that of the signature, the signature is invalid.

One signer's r=3 might connote a level of verification equivalent to another signer's r=8. So as a recipient, I'd have to keep track of the domain, the selector, AND the r value...even though I'll be making my reputation decision based entirely on criteria of my own choosing. So, I might as well just ignore the r value.

Without conventions established for the use of this parameter, it will offer only little value. Without conventions, only the reliance parameter being greater than zero would be of any significance. Conventions can recommend reliance levels for various types of sources such as:

Administrators          9
Transactional email     8
Permanent Employees     7
Automated messages      6
Mailing lists           5
Domain Users            4
Bulk                    3
Proxy Service           2
Transparent Service     1
Guests                  0

With this type of list, a recipient wishing to annotate messages would have a far better idea what level of reliance could be placed upon a range of messages from an otherwise trusted and well-known domain. Not all messages are trustworthy, even from a well-known domain. Perhaps as a general practice, all domains would default to receiving elevated annotation when exceeding a level of 5.

You're trying to fit reputation policy -- which is a sociopolitical issue -- into a technical standard.

This is _not_ about reputation. This is confronting the issue that not all messages from well-known domains are equally vetted. This mechanism simply allows the well-known (and otherwise trusted domain) to characterize the level of vetting that has been given their sources. (Of course there would be greater damage to their reputation should abuse be signed at a high level of reliance.)

This mechanism is to head off a highly counter-productive strategy that adopts a plethora of domain-names that attempt to make these same types of distinctions. Such a strategy further increases the number of look-alike domains and perhaps overwhelm the average consumer, while also greatly diminishing brand recognition. Brand recognition is of tremendous value and is being protected by this r= mechanism. If DKIM is to curtail the success of phishing attempts, this r= (or something like it such as selector tagging) is vitally needed.

-Doug



_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html