Ian Eiloart wrote:
I understand the issue here, but part of the point of DKIM/ADSP is to allow
automated systems to assign reputation to an email domain or email address
- a byte string.
First, d= is only a domain, not an address.
Second, DKIM semantics do not claim that that any part of a message is "valid",
except for the d= string. As a side-effect of the mechanism used to achieve
this, DKIM also claims that the bits covered by the authentication hash are the
same at verification as they were at signing time, but that's quite different
from claiming that they are "valid".
Third, there is a very basic difference between assigning a reputation to a
name
that is voluntarily provided -- such as the d= string -- versus trying to catch
deceptive, unsigned messages. They cover completely different philosophies and
technologies.
The intent behind ADSP is to create an overlap for the otherwise-independent
topics. It works for some very narrow -- but still useful -- scenarios, and
very much does not work for any other scenarios.
We need to be careful that we distinguish between scenarios that are reasonable
to include in any mechanism that requires end-to-end perfection, versus other
legitimate scenarios that are not subject to such tight controls.
Those automated systems will be able to distinguish
between paypal.com (likely with high positive reputation) from paypa1.com
A message from a Bad Actor either will not be signed or will not have a
reputation history. So the idea that there is a task of "distinguishing"
between paypal.com and paypa1.com really misses the point: For DKIM
reputation,
all that matters is paypal.com.
Furthermore, such systems could be designed to look for close mismatches,
Such systems could be designed to use an infinite array of heuristics; in fact
they already are. What is not clear is how this is relevant to a standards
discussion about DKIM or ADSP.
It might be nice if paypal could publish in the DNS a set of related
domains, that it is willing to share the reputation of paypay.com with.
Why? What would it take to maintain it? Who would use it? Why do you believe
they will use it? Why is it not sufficient for those "related" domains to
develop their own reptuation?
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html