Michael Adkins wrote:
Req. #3 requires some sort of assessment mechanism, such as a
third-party
whitelist.
There are two questions that you have to answer before you send a
report. One is where to send it. How to answer that question is a good
candidate for standardization I think. The other is whether you should
send it or not. This is a much stickier question as the policies for
existing FBLs vary widely and there is scant little consensus. On the
one end you have folks like Outblaze who require a strong whitelist
status for the sender in order to receive reports. On the other you have
AOL who will send reports to anyone who can display a reasonable amount
of authority for the domain (access to the postmaster@ mailbox for a
confirmation, for example). These differences are due to policies based
around everything from filtering strategy to legal requirements and
there is little motivation to converge. As such, I find this part to be
a poor candidate for standardization, beyond addressing the bare minimum
authority requirements. If there is a strong desire to do so, that's
fine, but please keep it separate from the 'where to send it' question.
I think the "whether" question divides into to parts.
The first is authority for receiving reports. This is more than just being
told
where to send reports; it satisfies the requirement to determine that the
directive for where to send reports comes from an authority to make that
request. So, is the "where" a valid request?
The second is whether the reporting agency wants to honor that valid request.
That's the role of the assessment mechanism. You cite Outblaze, which requires
a strong assessment, and you cite AOL which effectively requires none -- it
will
send a report to anyone asking for it and authorized to do so. I can't think
of
any reason that is or should be inherent to this mechanism for constraining the
assessment step -- the Outblaze and the AOL policies both ought to be
acceptable.
In the summary, I tried to wave my hand about what assessment step might be
performed. I think you've demonstrated why it's important NOT to specify very
much about it. But I don't think you've highlighted any error or problem with
this part of the summary. (In contrast with the corrections you supplied for
other parts of the summary.)
I guess my question is why this doesn't come for free, when
honest-to-goodness
operator-oriented domain name white lists gain traction? Such lists are the
real goal of doing /any/ DKIM signing. So once you have sending operatos
signing with DKIM and an array of assessment mechanisms used DKIM-verified
domain names, why can their use be easily extended to this type of FBL?
They can if the whitelists requirements comply with your FBL policy. So,
you are correct in that eventually we should get it for free. This is a
good argument for leaving the 'should I send it' question separate from
'where to send it'.
and, to be complete, the "is the specification for where to send it valid?"
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html