-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Hector Santos
Sent: Thursday, January 24, 2008 1:32 PM
To: robert(_at_)barclayfamily(_dot_)com
Cc: dcrocker(_at_)bbiw(_dot_)net; ietf-dkim
Subject: Re: [ietf-dkim] Re: ISSUE 1521 -- Limit the
application of SSP tounsigned messages
robert(_at_)barclayfamily(_dot_)com wrote:
But I think there are a sufficient number of cases where
domain owners
may want to make statements not just about mail that is not signed,
but about mail that is not signed by them.
Are you kidding me? I am willing to bet that given the
opportunity to do so, they will immediately apply strong
SIGNING requirements to their mail, IFF the receivers are
going to HONOR the policies.
+1
My organization has recently started DKIM signing (millions and millions
of emails signed in the last 10 days) for 5 large scale mailing domains
plus making strong SPF assertions for those domains. The end game I want
to see for DKIM-SSP (Can't we make SSP broader? Please?) would be for me
to be able to make the assertion that ALL mail from these domains is
signed and ONLY comes from the IP addresses indicated in our SPF
records.
Initial results working with receivers that are checking have been
excellent. This assertion, if honored by receiving domains, will provide
significant additional protection from phishing/trojan emails for huge
numbers of inboxes. There is a small volume of email that appears to
have broken signatures (a very few cases involving forwarding but it may
be related to specific edge cases with regard to the choice of signed
headers). Then there are the unsigned emails purporting to be us and
not coming from our IP Address space.....phishing emails....trojan
emails......
I think receivers are going to implement DKIM checking so fast your head
will spin. I have a feeling that the default implementation - whether in
the standard or not - is going to be to automatically check the SSP of
the From anyways because there is real value in such a check. I think
you are going to find receivers placing significant weight on strong
assertions by domains.
Why not codify something that has value and does not prevent someone
deciding what to do with that check? The MAAWG website indicates (2nd
Qtr 2007) that 86.7% of email is abusive email. Others report a higher
percentage. Don't think for a minute that the bad folks aren't going to
try to find ways to subvert DKIM in practice. Why make it weaker and
more subject to gaming when we can make it stronger and more resistant
to gaming?
The dkim.org website contains this statement in the first paragraph:
"Technically DKIM provides a method for validating a domain name
identity that is associated with a message through cryptographic
authentication." Which has the stronger association with a particular
message? A third party or the domain that is the purported originator of
the message?
If we have such a relaxed mode of operation, bad guys just
have to run in legacy mode. No adaption required.
+1
We are erroneously presuming everyone are going to depend on
DKIM being tied to reputation services and my view, this is
going to be the biggest mistake we make here.
+1
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html