ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Is anyone using ADSP? - bit more data from the receiving side

2009-10-13 13:44:07
from [Dave CROCKER] [Permanent Link] 


Ian Eiloart wrote:

I understand the issue here, but part of the point of DKIM/ADSP is to allow 
automated systems to assign reputation to an email domain or email address 
- a byte string. 


First, d= is only a domain, not an address.

Second, DKIM semantics do not claim that that any part of a message is "valid", 
except for the d= string.  As a side-effect of the mechanism used to achieve 
this, DKIM also claims that the bits covered by the authentication hash are the 
same at verification as they were at signing time, but that's quite different 
from claiming that they are "valid".

Third, there is a very basic difference between assigning a reputation to a 
name 
that is voluntarily provided -- such as the d= string -- versus trying to catch 
deceptive, unsigned messages.  They cover completely different philosophies and 
technologies.

The intent behind ADSP is to create an overlap for the otherwise-independent 
topics.  It works for some very narrow -- but still useful -- scenarios, and 
very much does not work for any other scenarios.

We need to be careful that we distinguish between scenarios that are reasonable 
to include in any mechanism that requires end-to-end perfection, versus other 
legitimate scenarios that are not subject to such tight controls.


Those automated systems will be able to distinguish

between paypal.com (likely with high positive reputation) from paypa1.com 


A message from a Bad Actor either will not be signed or will not have a 
reputation history.  So the idea that there is a task of "distinguishing" 
between paypal.com and paypa1.com really misses the point:  For DKIM 
reputation, 
all that matters is paypal.com.



Furthermore, such systems could be designed to look for close mismatches, 


Such systems could be designed to use an infinite array of heuristics; in fact 
they already are.  What is not clear is how this is relevant to a standards 
discussion about DKIM or ADSP.



It might be nice if paypal could publish in the DNS a set of related 
domains, that it is willing to share the reputation of paypay.com with. 


Why?  What would it take to maintain it?  Who would use it?  Why do you believe 
they will use it?  Why is it not sufficient for those "related" domains to 
develop their own reptuation?

d/
-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Is anyone using ADSP? - bit more data from the receiving side, Murray S. Kucherawy
Next by Date:  Re: [ietf-dkim] Is anyone using ADSP? - bit more data from the receiving side, hector
Previous by Thread:  Re: [ietf-dkim] Is anyone using ADSP? - bit more data from the receiving side, Steve Atkins
Next by Thread:  Re: [ietf-dkim] Is anyone using ADSP? - bit more data from the receiving side, hector
Indexes:  [Date] [Thread] [Top] [All Lists]