Dave CROCKER wrote:
Michael Adkins wrote:
Req. #3 requires some sort of assessment mechanism, such as a
third-party whitelist.
There are two questions that you have to answer before you send a
report. One is where to send it. How to answer that question is a good
candidate for standardization I think. The other is whether you should
send it or not. This is a much stickier question as the policies for
existing FBLs vary widely and there is scant little consensus. On the
one end you have folks like Outblaze who require a strong whitelist
status for the sender in order to receive reports. On the other you have
AOL who will send reports to anyone who can display a reasonable amount
of authority for the domain (access to the postmaster@ mailbox for a
confirmation, for example). These differences are due to policies based
around everything from filtering strategy to legal requirements and
there is little motivation to converge. As such, I find this part to be
a poor candidate for standardization, beyond addressing the bare minimum
authority requirements. If there is a strong desire to do so, that's
fine, but please keep it separate from the 'where to send it' question.
I think the "whether" question divides into to parts.
The first is authority for receiving reports. This is more than just
being told where to send reports; it satisfies the requirement to
determine that the directive for where to send reports comes from an
authority to make that request. So, is the "where" a valid request?
The second is whether the reporting agency wants to honor that valid
request. That's the role of the assessment mechanism. You cite
Outblaze, which requires a strong assessment, and you cite AOL which
effectively requires none -- it will send a report to anyone asking
for it and authorized to do so. I can't think of any reason that is
or should be inherent to this mechanism for constraining the
assessment step -- the Outblaze and the AOL policies both ought to be
acceptable.
In the summary, I tried to wave my hand about what assessment step
might be performed. I think you've demonstrated why it's important
NOT to specify very much about it. But I don't think you've
highlighted any error or problem with this part of the summary. (In
contrast with the corrections you supplied for other parts of the
summary.)
I guess my question is why this doesn't come for free, when
honest-to-goodness operator-oriented domain name white lists gain
traction? Such lists are the real goal of doing /any/ DKIM
signing. So once you have sending operatos signing with DKIM and an
array of assessment mechanisms used DKIM-verified domain names, why
can their use be easily extended to this type of FBL?
They can if the whitelists requirements comply with your FBL
policy. So,
you are correct in that eventually we should get it for free. This is a
good argument for leaving the 'should I send it' question separate from
'where to send it'.
and, to be complete, the "is the specification for where to send it
valid?"
d/
I can agree with all this. Specify how to validate the request.
Mention that trust is important and why, but leave it to the report
sender to specify.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html