-----Original Message-----
From: John Levine [mailto:johnl(_at_)iecc(_dot_)com]
Sent: Sunday, February 03, 2008 2:44 PM
To: ietf-dkim(_at_)mipassoc(_dot_)org
Cc: MH Michael Hammer (5304)
Subject: Re: [ietf-dkim] poison signatures, was draft-ietf-dkim-ssp-02
It is my belief that most recipient domains are likely to find not
checking author domain SSP (for discardable) as an invitation
to abuse.
It's hard to see this as saying anything other than that SSP
publishers get to regulate the operation of mailing lists,
send-an-article, etc. run by unrelated third parties.
John,
It's not that hard to consider my comment as something other than SSP
publishers regulating mailing lists,send-an-article, etc.
Your assertion is analogous to blaming the homeowner who retains a
security service (and puts up stickers pointing this out) for the fact
that the person down the street chooses to leave their doors unlocked,
the windows open and keys in the car....and for the fact that homeowner
#2 gets abused as a result. The further outcome is that homeowner #1
gets a discount on their insurance while homeowner #2 likely gets
dropped by their insurer. This is not some poisonous plot on the part of
homeowner #1 to cause homeowner #2 grief and get their insurance
provider to drop coverage. Homeowner #1 has simply raised defenses that
make the burglar less likely to abuse them,reduced risk and thus the
criminal is more likely to abuse homeowner #2. Homeowner #2 has many
options with regard to how they might change their circumstances.
Mailing lists,send-an-article, and other services can operate however
they want. I don't envision SSP publishers in any way regulating how
those services MUST operate. Different service providers may choose
different models of operations as they believe is most appropriate for
their circumstances. Ultimately, receivers - whether organizations or
individuals - get to choose which messages (and from whom) they will
accept or reject. Receivers may take many things into consideration. It
may be that DKIM or SSP never grow to be one of those things - time will
tell.
Note that I did not state that recipient domains would/should take a
particular action based on checking author domain SSP, I only pointed
out that not checking generally, if the information is available, would
be an open invitation to abuse. It may be that receivers generally view
the ietf-dkim list as "good" and allow messages from that list through
regardless of DKIM or anything else. On the other hand some recipient
domains may choose to view email purporting to be from their domain (for
example Mail From) and originating from someone elses server as
bad.....hmmm, wait a second, many organizations already do that without
resorting to DKIM. I have noted some MTAs that reject mail if RFC2822
From does not match RFC2821 Mail From. I find nothing in the RFCs that
would support or encourage such an approach but I also recognize that if
it works for that domain then that is their perogative.
I would like to point out your CircleID article from June 2004 entitled
"Email Address Forgery"
http://www.circleid.com/posts/email_address_forgery/. In it you claimed
greeting cards as one of the "victims" that would be broken by then
newly proposed validation schemes. At that time, we were unable to take
advantage of those various approaches. We decided to change our approach
so that we could take advantage of those approaches. Nobody regulated or
mandated that we change. We simply felt that these approaches enabled us
to work with others to reduce messaging abuse and have thus embraced
them. You choose to remain skeptical regarding these approaches. That is
your perogative. I remember a time when SSH was newfangled and most
folks used telnet and r commands. There may be some people who admin
boxes using telnet across the open internet... I don't know of any
personally.
Even if it's against my internal rules for one of my users to
contribute to a mailing list to which you subscribe, I can't
imagine how I could expect that you enforce my rules against my users.
This leads us to the ugly. There is a difference between
stating,expecting and demanding.
I'm not commanding you to enforce my rules on your list. You will choose
to do what you wish. Remember King Canute?
I'm not demanding that any receiver reject mail from any source. I'm not
even expecting that all receivers will reject mail purporting to be from
my domains but are not signed - regardless of any statement made in SSP.
Receivers will do what they choose. If ignoring SSP works for a
particular receiver then that is what they will do. If another receiver
chooses to incorporate SSP as one of many things they consider, more
power to them. Some receivers may choose to reject anything purporting
to be from my domains that does not have an authenticated signature. I
happen to believe that something similar to the homeowner example will
occur.
You are asking me to argue about users when I personally am seeking to
protect originating domains that have no users (other than in direct
support of the domains activities), only role accounts for which
messaging is generated from applications. ssp-02 recognizes that
particular circumstance and addresses it, for which I am appreciative.
Some domains with user accounts may choose to make a strict
assertion/discardable. Others may choose not to. That's the beauty of
choice. We should always remember that the right and ability to make
choices inherently includes the right to make poor ones - whatever your
particular definition of poor happens to be.
Or to put it more baldly, it's not mail abuse just because I
don't like it.
I don't care to go too far down this path as it's really a strawman.
Unless you reject the notion of equity interest in a domain name (that
is, a domain name is something that one has property/ownership right in)
then you cannot claim it is simply something that "I don't like".
Whether it is a large company or an individual domain owner, they do
have the right to make statements about the proper (or improper use) of
their name. Your apparent concern is that someone might listen to that
statement.
I personally feel no need to go down the legal/philisophical path on
this because ultimately, the receiver (domain or individual) has the
whip hand. Engage in practices they don't care for - whether you call it
abuse or "I don't like" - and your messages will not go through. It is
really that simple. Nobody is forced to carry anothers traffic and
nobody is forced to accept someone elses messages.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html