ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] SSP vs. reputation

2008-01-25 11:59:11
from [Hector Santos] [Permanent Link] 
MH Michael Hammer (5304) wrote:
The end result is that if you see my messages are "special", then you know that you can't "resend" it as "me." 



All your messages are special!


If you wrote it, its special. Period. :-)


Your MUA should tell ya

     "Sorry, you can't do this. This message is Special."


I agree that a well behaved MUA would do this. BAD MUA! BAD!
Not checking it offhand, I wonder how current MUA PGP or currently supported mail integrity technology handle the "resending" of digitally signed mail. Does it make a point of popping up? 

     "Resending this message as new MAY break the integrity"
In any case, this would be item in the checkoff list for new DKIM/SSP ready MUA designs.
We can't have it both ways. The same way of doing things and expect to get the security we are seeking.
+1
"Who moved my cheese?" (http://www.whomovedmycheese.com) is my recommended book to those afraid of change. 


Found this interesting article which is germane even if I don't agree
with the authors conclusion and desire to pull an "Al Hague". E-mail and its security discontents 
Why Microsoft, Cisco, IBM and others need to step up to protect SMTP
http://www.arnnet.com.au/index.php/id;1603491549


I bookmarked this to read it later on today.
Something has to give and this one is perfectly acceptable to me because it helps secured my domains as I intended it to be secured with a DKIM=STRICT. 


And this desire for protection grows as we all run in circles. The other
day I was going through some boxes that had been sitting in my basement
for a (long) while. Found a box filled with internet industry magazines
from the mid-to-late 1990s. With only a few tweaks the articles and
letters to the editor related to abusive email would be applicable
today.

Food for thought.
I honestly think everyone wants the same goals. I respect Mr. Crocker mantra for incremental changes. Thats conservative and necessary. But then you see the conflicts of self-interest reputation service marketing campaign that is basically nullifying all logic. 

If you have not seen my DSAP IETF I-D (Now expired),

    http://tools.ietf.org/html/draft-santos-dkim-dsap-00
it was based on the simple premise of making sure the DKIM-BASE protocol is consistent with the domain's signing or non-signing expectations. It was designed to look for the FAULTS in a transaction. 

It asked the following questions:

   o  Does the domain ever distribute mail?
   o  Do you expect the mail to be unsigned?
   o  Do you expect to sign all mail?
   o  Is your domain the exclusive signer?
   o  Are 3rd party signers or signatures allowed?
   o  Are 3rd party signers allowed to strip your original signatures?
There fault questions can be answered *without* reputation services in a standard general case, wide adoption basis. 


--
Sincerely

Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [ietf-dkim] SSP vs. reputation, MH Michael Hammer (5304)
Next by Date:  [ietf-dkim] Re: SSP vs. reputation, Frank Ellermann
Previous by Thread:  RE: [ietf-dkim] SSP vs. reputation, MH Michael Hammer (5304)
Next by Thread:  [ietf-dkim] Re: SSP vs. reputation, Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]