-----Original Message-----
From: John Levine [mailto:johnl(_at_)iecc(_dot_)com]
Sent: Thursday, January 24, 2008 2:15 PM
To: ietf-dkim(_at_)mipassoc(_dot_)org
Cc: MH Michael Hammer (5304)
Subject: Re: [ietf-dkim] Re: ISSUE 1521 -- Limit the
application of SSP tounsigned messages
Without requiring a check (not saying what action the receiver must
take) of the From address, what we are saying is that bad guy
signature
on evil nasty email is just as worthwhile of a signature as
that of the
owner of the domain in the From address.
I supose that's often true, given that a signature from a
random unknown sender that matches the From: address is just
as worthless as a signature from a random unknown sender that
doesn't match the From:
address.
But please stop misrepresenting other people's arguments.
Nobody has ever claimed that a random signature gives mail a free pass.
I'm not misrepresenting other peoples arguments at all. If the only
signature on the message is from a 3rd party and there is an opportunity
to check for the assertion of the purported From domain that is not
taken, that in fact is giving more weight (not even equal weight) to the
signature of the thrid party with respect to any potential assertions by
the owner of the purported From domain.
I have not stated nor have I even insinuated that anyone has claimed
"Nobody has ever claimed that a random signature gives mail a free
pass."
You are arguing the case of "your trusted friend", the mailing list.
There are alternate ways for a mail list to function rather than present
the "from" address header from another domain. In a world where abuse is
rampant, that practice creates substantive problems and opens the door
to abuse.
I am arguing the case of millions of compromised end-user machines due
to phishing/malware/trojans. If end users were allowed to vote on this
(after having the two positions presented) I think they would pretty
much prefer requiring checks of assertions (as part of the SSP standard)
and then having the right to choose (through their software or their
choice of service providers) whether to use systems that check DKIM or
what decision to make based on that required check if SSP is used in
their environment.
If, as a receiver you don't want to use SSP that is your perogative. If
you choose to trust the list (or any other signature) rather than (or
over) the SSP of the purported From domain, that is again your
perogative. If you make that choice and get phished/trojaned, whatever
and contact me as the operator of the purported from domain, I'm not
going to be particularly sympathetic when you tell me you trusted the
list (or over some random signature) over my SSP (that wasn't even
looked at) that gave fair warning.
Consider including the mandatory check in SSP as the opportunity to
evaluate something that might prevent pretty significant bad outcomes in
a significant amount of cases. You may choose to ignore the warning but
you can't claim that you were ignorant that the warning exists. As
others have pointed out, DKIM can be useful by itself without reputation
systems if given the chance.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html