Date: Tue, 22 Jan 2008 11:16:31 -0800
From: dhc(_at_)dcrocker(_dot_)net
To: robert(_at_)barclayfamily(_dot_)com
robert(_at_)barclayfamily(_dot_)com wrote:
Agreed, and one of the things a domain owner knows in at least some
situations is what policies they have set for users of that domain about
how they are allowed to use that domain. Clearly this is not the case
for a the majority of domains on the internet, but how many have to be
able to make this assertion for it to be useful to have in the standard?
If we have some differential statements of constituencies and scenarios to
which a given feature applies -- sometimes called an applicability statement
-- then we can make much more realistic statements about utility.
Some constituencies are few in number but big in impact. That's fine. As
long as we can characterize them and convince ourselves that they will
benefit.
As is the case with pretty much any type of policy publication there are both
publishers and consumers of that information. I think I could readily
characterize instances where a domain owner could accurately publish a "strict"
policy for their domain, both from personal experience and from the set of
senders/domain ownders I regularly work with. That's clearly not the whole
internet but would represent at least on constituency on the publishing side.
Characterizing the consumer side accurately is slightly harder because this
data is supplementary to whatever people already do and I don't think this data
can really be accurately viewed in a vacuum but still should not be an
insurmountable problem.
Are you looking for descriptions of one of the above, both, or the interaction
between the two?
By asserting that any mail that claims authorship from a domain I
control must be signed by me I'm not making any particular assertion
about why any other mail might not fit that policy. Just the fact that
it does not.
(just to make sure: "by me" means "by the same domain as listed in the
author
field?)
Yes, sorry resorted to putting myself in the place of a domain owner
publishing a policy rather than remaining in the third person. The "me" refers
specifically to the owner or administrator of the domain which appearts in the
author field.
At any rate, phrased in the way that you have phrased it, I believe you are
correct.
However, if you state that all mail claiming authorship from a domain is
signed by that domain, then there is an inescapable implication about
unsigned
mail claiming that authorship. There is not need to state the implication
explicitly.
d/
--
Yes, that's true, but that implication is not the same as John's
characterization of this statement as saying "I am a phish target". The
implication I would get from that is if you get a piece of unsigned mail, or
mail signed by someone other than that domain that it was not validly authored
by that domain. That encompasses more possibilities than just "I am a phish
target" and still requires that the receiver make a decision about whether they
care that the mail was not validly authored by that domain given the
information they have available about both the source that transmitted it to
them, and the source that actually did sign the mail.
Robert
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_________________________________________________________________
Helping your favorite cause is as easy as instant messaging. You IM, we give.
http://im.live.com/Messenger/IM/Home/?source=text_hotmail_join
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html