ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] SSP = FAILURE DETECTION

2006-09-09 11:43:09

----- Original Message -----
From: "Dave Crocker" <dhc(_at_)dcrocker(_dot_)net>
Subject: Re: [ietf-dkim] SSP = FAILURE DETECTION


Wietse Venema wrote:

The purpose of a valid DKIM signature is to identify the party that
signed the message. Whether this is a first-party or third-party
signature is largely irrelevant. It's about accountability.

It is interesting how vigorously and persistently this continues to be
misunderstood.

Dave, it is NOT and NEVER WAS misunderstood!!

Although I have major concerns about the conflicts with this new
accountability and responsibility which undoubtedly leave itself open to
legal scrutiny,  the difference is that DKIM-BASE creates a new level of
expectations
and SSP is about the detection of failure and non-compliancy with the
protocol consistency.

At some point, this "accountability" has to have some redeemable value.

You want receivers to play dumb and just return a VALID or INVALID state
which still acceptable the mail.

What I am telling you is that this regardless of what the SIGNATURE means,
its failure will not be tolerated in wide adoption.

So lets assume there is no SSP and we just have a pure DKIM-BASE verifier,
what do you want us to do with the two possible end-results?

   - INVALID signature
   - VALID signature

Do you want us to present 'something' to users and if so, how do you present
this to the different users types?

  - ONLINE mail users?
  - OFFLINE mail pickup users?

For the online users, our hosting software can present "something"

   -WARNING: something wrong with this message?
   -NOTE: This message seems to be ok!

But how do you pass this information for the offline mail pickup users?

Are you expecting them to be DKIM-READY to display this information
themselves?

If so, why should the MTA even bother to do DKIM-PROCESS and just let the
offline MUA do the DKIM processing?

The bottom line is that you still need to "FILTER" something at some level
even if you don't use SSP at the MTA and I can assure you that without SSP,
I am less willing to assume product liability issues by wasting time doing a
ACCOUNTABILITY check at the MTA that has no payoff of eliminating mail.

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>