ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [ietf-dkim] Change to Section 6

2007-01-23 08:11:52
from [Bill.Oxley] [Permanent Link] 
Doug,
Authoritative statements made by a DKIM aware MUA is a good thing.
However from an ISP perspective I would not depend on an end user to
have a DKIM aware MUA but will verify and do Policy silently at my edge
MTA devices. Any mail that makes it past there can still be acted upon
by the MUA.

Bill Oxley
Messaging Engineer
Cox Communications
404-847-6397

-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Douglas Otis
Sent: Monday, January 22, 2007 6:32 PM
To: J.D. Falk
Cc: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] Change to Section 6


On Jan 22, 2007, at 2:17 PM, J.D. Falk wrote:


On 1/19/07 7:07 PM, John Levine wrote:


I disagree with Doug and agree with the wording in the current  
document.

I'm with Paul, I do not want to reopen the arguments about how long a
verification key should or shouldn't be around.


Not sure if it's a +1 to Paul or a -1 to Doug, but either way I  
agree with Paul and John here.  We need -base yesterday; save the  
endless intractable arguments for SSP.


While I might agree with the urgency, this poorly worded comment  
launches the SSP journey with a stated expectation that MTAs provide  
full coverage of DKIM signature verification prior to messages being  
obtained by end users.  This produces unrealistic expectations for  
how DKIM might be adopted, as well as overestimating the consistency  
of MTAs and their backups.  While this group might be dominated by  
MTA vendors (in general a good thing), DKIM will likely offer far  
greater protections in the hands of MUA vendors who can provide much  
needed annotations in a era where email will also likely see a rapid  
uptake of EAI extensions.

<repeated rant 1>
UTF-8 should create serious doubts about the efficacy of any  
annotation made by MTAs not based upon a level of trust.  The current  
thinking appears to be annotations indicating the number of policy  
hoops navigated.  With a churn rate of domain names in the millions  
per day, it is not reasonable to assume a protection scheme can stay  
ahead of the bad actors.  Finding a means to establish trusted  
identities is critically important.  Once such source might be the  
recipient's address book, in addition to DAC lists appropriate at the  
MTA.
</repeated rant 1>

<repeated rant 2>
The bifurcation of identities introduced by EAI also means a common  
domain scheme depended upon to link headers with DKIM signatures is  
not adequate either.  Expecting MTA servers to warehouse hundreds or  
thousands of private keys is another cause for concern, before  
launching the SS DKIM.  This problem can be resolved by a simple  
relaxation of the 'i=' identity and a provision allowing domain  
association using simple hash tags.
</repeated rant 2>

-Doug



_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ietf-dkim] Issue: Section 8.1 Misuse Of Body Limit - Needs some Insight here!, Hector Santos
Next by Date:  Re: [ietf-dkim] Change to Section 6, Eliot Lear
Previous by Thread:  Re: [ietf-dkim] Change to Section 6, J.D. Falk
Next by Thread:  Re: [ietf-dkim] Change to Section 6, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]