Hector,
The engineering part is easy, what is extremely difficult is the policy.
After spending a long period of time debating what the word UNIQUE means
in a policy document that has some similarities to email, I want to get
it right the first time. Make sure the rules are simple. Ensure there is
agreement. Make sure a clean unambiguous meaning is set to every
possibility.
Its harder than it looks.
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
bill(_dot_)oxley(_at_)cox(_dot_)com
-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Hector Santos
Sent: Sunday, August 06, 2006 12:01 AM
To: dcrocker(_at_)bbiw(_dot_)net; ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] "I sign everything" is not a useful policy
----- Original Message -----
From: "Dave Crocker" <dhc(_at_)dcrocker(_dot_)net>
If I choose to deliver unsigned mail that purports to be from a
domain that says it signs everything, but I mark it up with flashing
lights that say "spoofed" do you want that to be a protocol violation?
Yes. I am not what you mean by "But i mark it up with.." by yes, if the
domain expectations for a valid transactions are broken, in order to
protect
his reputation inherited by a DKIM-BASE mandate, he would prerfer it to
be a
protocol violation.
What about my choosing to send it to
my sysadmin for special handling for spoofed mail? What about...
Thats up to you and local system policy. That should take away the
domain
declaration for his expectatons for a valid transaction.
In other words, there are lots of things that I might reasonably
choose to do with mail that I receive that violates one or
another SSP statement.
I am not sure I follow the logic, but this is all really simple. The
domain
told you want is expected for a valid message. It went thru all the work
on
signing messages for some reason that hopefully has some payoff when
things
go wrong with it. Isn't the essense of a security protocol? When the
protocol is not followed?
It is not the publisher's right or responsibility to tell me what to
do
with
information. By contrast it is entirely reasonable for them to provide
me
with
information that I am likely to find helpful.
Agree. And sure, as a receiver, you can decide to do what you want. But
if
we are talking about helping to stop or control abuse, then I think most
receivers are very interested in technology that will help in the area.
A signer should make statements that a) the signer believes to
be important, and b) there is a good basis for believing that
evaluators will consider important.
Isn't this what SSP draft, including DSAP I-D draft already does and
documents?
Have you looked at this documents? What is wrong with them? Do you
trust
the engineering done? What's missing?
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html