Douglas Otis wrote:
On Jun 18, 2009, at 11:18 AM, hector wrote:
This is why I as seeking an answer to why just d= and not anything
else. What it for a reputation system?
The response from a closed group of large email providers regarding
how they would like to have their reputation handled was to have their
entire domain's messages receive the _same_ reputation. This is not
surprising.
Right. Glad to hear it is consortium or group and not just one. It
will help centralize it. Buts it still is a "Batteries Required"
problem for the general across the board adoption of DKIM. If its an
open service system (free "basic service" signup model if offered,
free client lookups), then the problem is lessen.
Treating all of their messages en mass makes it
impractical to isolate abusive accounts or to retain delivery
integrity. :^(
This is why I was so adamant about having a policy system that wide
adoption of DKIM receivers can use as a default defense. Not everyone
has to be signers. The migration path might be that most will become
DKIM verifiers first, then their domain signing strategy is worked out.
This is also why they wish to ignore DKIM's potential for replay
abuse.
Looking for the golden (DKIM) needles in the (abuse) haystack. :)
DKIM suffers the problems found with any cryptographic
solution that can be replayed. Once all of the domain's signatures
are white-listed as suggested, this will invite massive levels of abuse.
I am not so concern about replays as is my overall two concerns:
1) Obvious DKIM faults, spoofs direct or indirect (bad guy has your
domain in his list and is DKIM ignorant) are not protected when they
are so easy to detect using basic DKIM signing policies.
2) The levels of faults (abuse) will overwhelm the fewer good finds,
enough such that low to mid size receivers will turn off the
processing. When the payoff::efficiency ratio begins to be so low,
DKIM begins to become ignored.
Bad guys can use this form of DKIM DoS strategy as did the Sorbig Dual
Blitz attack which help jump start the IETF email security efforts. It
was the final straw for many. SorBig first blasted systems with IP
faults to forced system to shutdown popular RBL sites, then it blasted
people with intentional accept/bounce attacks.
Whats odd, is the bad guys are probably laughing it up is the best
thing to circumstance DKIM is to now try to use it - ignore it, keep
with Legacy operations. Don't raise any flags. But if they wanted to
spoof DKIM domains, all they need to is blast enough systems to seek
out DKIM receivers who don't subscribe to the Centralized Consortium
Reputation Service.
What irks me the most is the lost time and opportunity to have a major
impact on the spoof and domain abuse problem across the board, for all
sizes of people. Not just my large customers but all my customers.
What the large companies need to realize that the little systems can
really help them too. So it is to their benefits that all systems,
from small to large on the public Port 25 SMTP network can use policy
or a reputation system.
We could of have both Reputation and Policy as powerful assessors to
DKIM-BASE completely by now. But it was the reputation people who
didn't want Policy. The policy people has always said that reputation
is also important part of the picture. I even felt Reputation should
have been part of the charter so that people can be open about it, and
work out all the issues. They didn't have to worry about blatant
charter ignorance and didn't have to play games with word smithing.
Just consider in the Draft DKIM Overview up to revision 05:
http://tools.ietf.org/html/draft-ietf-dkim-overview-05.txt
it directly said:
2.3. Filtering
...
Unless a scheme can correlate the DKIM signature with accreditation
or reputation data, the presence of a DKIM signature SHOULD be
ignored.
I know I posted concerns about that. Don't recall if others publicly
posting concerns, but this has been remove since revision 06 with a
complete rewrite of the DKIM overview draft.
Quite frankly, at this point, it should really be added back in. It
will give domains a better idea, as the above statement implies, that
DKIM-BASE is worthless without without being part of some reputation
scheme We should not denied them this guidance.
Unless a scheme can correlate the DKIM signature with
accreditation or reputation data, or ADSP policy or some
other assessor scheme, the presence of a DKIM signature SHOULD
be ignored.
Honestly, I really think this is GOOD (and ethical) advice now.
--
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html