Doug,
Authoritative statements made by a DKIM aware MUA is a good thing.
However from an ISP perspective I would not depend on an end user to
have a DKIM aware MUA but will verify and do Policy silently at my edge
MTA devices. Any mail that makes it past there can still be acted upon
by the MUA.
Bill Oxley
Messaging Engineer
Cox Communications
404-847-6397
-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Douglas Otis
Sent: Monday, January 22, 2007 6:32 PM
To: J.D. Falk
Cc: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] Change to Section 6
On Jan 22, 2007, at 2:17 PM, J.D. Falk wrote:
On 1/19/07 7:07 PM, John Levine wrote:
I disagree with Doug and agree with the wording in the current
document.
I'm with Paul, I do not want to reopen the arguments about how long a
verification key should or shouldn't be around.
Not sure if it's a +1 to Paul or a -1 to Doug, but either way I
agree with Paul and John here. We need -base yesterday; save the
endless intractable arguments for SSP.
While I might agree with the urgency, this poorly worded comment
launches the SSP journey with a stated expectation that MTAs provide
full coverage of DKIM signature verification prior to messages being
obtained by end users. This produces unrealistic expectations for
how DKIM might be adopted, as well as overestimating the consistency
of MTAs and their backups. While this group might be dominated by
MTA vendors (in general a good thing), DKIM will likely offer far
greater protections in the hands of MUA vendors who can provide much
needed annotations in a era where email will also likely see a rapid
uptake of EAI extensions.
<repeated rant 1>
UTF-8 should create serious doubts about the efficacy of any
annotation made by MTAs not based upon a level of trust. The current
thinking appears to be annotations indicating the number of policy
hoops navigated. With a churn rate of domain names in the millions
per day, it is not reasonable to assume a protection scheme can stay
ahead of the bad actors. Finding a means to establish trusted
identities is critically important. Once such source might be the
recipient's address book, in addition to DAC lists appropriate at the
MTA.
</repeated rant 1>
<repeated rant 2>
The bifurcation of identities introduced by EAI also means a common
domain scheme depended upon to link headers with DKIM signatures is
not adequate either. Expecting MTA servers to warehouse hundreds or
thousands of private keys is another cause for concern, before
launching the SS DKIM. This problem can be resolved by a simple
relaxation of the 'i=' identity and a provision allowing domain
association using simple hash tags.
</repeated rant 2>
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html