Charles Lindsey wrote:
On Mon, 05 Oct 2009 14:37:56 +0100, MH Michael Hammer (5304)
<MHammer(_at_)ag(_dot_)com> wrote:
In light of the comments by Bill Oxley and my belief that the ability of
a domain to designate signing by a specified 3rd party is useful, I'd
like to see this included in the update. I believe this would be useful
for ISPs as well as ESPs. I don't have any specific wording or proposals
on this.
At item I would like to see is some clear guidance to mailing list
expanders (otherwise they are all going to do it differently). It may turn
out that there is no "one size fits all" solution, but I doubt that 57
different solutions would be needed either.
First, For any 3rd party signer, there is one commonality - it MUST
honor RFC 5617 (ADSP) otherwise it is adding risk to the 1st party
domain and to its own operations.
Until this is recognized, I don't see any hope whatsoever on getting
any additional 3rd party signing controls.
I'm a list server developer and I can see how I can sleep like a baby
thinking we can blindly sign any domain passing thru the system
without creating issues for ourselves or the domain itself.
I can see the explicit agreement established with DNS provisioning
working between two parties working. These are concrete contracts.
There is built-in indemnification, authorization.
But the blind 3rd party signing of the 1st party is the problem.
Second, even if the MLS begins to honor RFC 5617 which to me would be
a major step forward for greater DKIM adoption, we are still missing
a policy that tells a MLS they are "Allow To Resign".
We have the following:
UNKNOWN, I DON'T CARE WHO SIGNS
ALL, I ALWAYS SIGN, JUST DON'T GO NUTS REJECTING MAIL
DISCARD, I ALWAYS SIGN, REJECT INVALID MAIL!!
We have two considerations:
ALWAYS, MAIL IS ALWAYS SIGNED BY ME OR SOMEONE ELSE
ALWAYS, MAIL IS ALWAYS SIGNED BY ME OR SPECIFIC DOMAIN
The latter is the concern by some that we would never be able to scale
an unbounded authorization list of specific 3rd party domains.
I ask these design questions:
1) Why does it have to be unbounded? Why can't there be a limit? I
personally do not see the majority of these cases to have a need for
unbounded list. If so, its just a case of more DNS provisioning. I
don't join all the mailing list without some knowledge of who they
are. I would love the opportunity to declare that mipassoc.org or
gmail.com is signing on behave of my domain. I am not going to want
or need to have room for 50, 20, 30 or ever 10 mailing list 3rd party
signing domains.
2) Do we need a LIST at all? Why not just the statement itself
"ALWAYS SIGNED by anyone" sufficient and then allow the expected
"Domain Reputation Layers" to augment a more complete solution?
Unfortunately, the status quo right now RFC 5617 is useless and that
promotion has made it not supported by some list servers, including
this mail list server.
If we can't a list server like Mipassoc.org to support RFC 5617, I
don't see any hope in 3rd party signer Policy discussions.
--
HLS
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html