This is a good example of the problem here.
On the one hand we have a nobel cause and wish to protect the brand
reputation with a trusted service using a positive Domain Reputation
Assertion.
But on the other hand, we don't want want to follow any violation or
deviations of this positive Domain Reputation Assertion.
Lets make perfectly clear there is NO ISSUE with this idea.
Assuming this is the way we want to go with a undefined Reputation
Protocol, this is ok, but we need to also follow what Dave Crocker
recently wrote:
"When someone asserts that a mechanism offers protection, they
are obligated to account for the cases that are /not/ covered.
If they are diligent, they will then assess the relative costs
and benefits of this protection proportion, versus the
unprotected proportion." [1]
What I have been speaking of all long is that POLICY would provide for
Failure Detection against protocol violations. That would include a
protocol based on reputation.
A reasonable compromise can be produce if receivers, including
intermediaries follow the same standard protocol methodology:
Step 1) Lookup the reputation, Resolve
Step 2) Lacking Reputation Indicators or indeterminate
signer resolution, Lookup ADSP to resolve Domain
Signature Expectations.
Crocker and Levine, if you guys can accept this, I think you will go a
long way to getting a final resolution the 4-5 year year policy
debates and more importantly, show a green light and light at the end
of the tunnel to begin getting more developers to implement DKIM and
get wider network adoption of DKIM using a persistent protocol
methodology.
I don't think #2 interferes with your Reputation schemes and
promotions, but it will require to accept standard provisions that
intermediaries follow by the same consistent rules.
--
Hector Santos, CTO
Santronics Software, Inc
[1] http://mipassoc.org/pipermail/ietf-dkim/2009q4/012655.html
hector wrote:
Dave CROCKER wrote:
Ian Eiloart wrote:
OK. What ADSP adds is the ability to assign reputation to a specific
email claiming to originate from a specific domain. Except for
"unknown".
A DKIM signature says nothing about "origination". A signature is
typically by an organization that handles the message, but it need not
be the originator or even a sender. An independent trust service,
such as Goodmail, could sign it, for example.
So are you saying that all receivers should whitelist goodmail.com
dkim-signature: d=goodmail.com ....?
regardless of what the Author Domain has declared for ADSP?
Should we take for granted that the author domain has paid GOODMAIL.COM
to certified its mail?
Conversely, what happens when mail from author domain does not arrive
with GOODMAIL.COM signatures?
How does the receiver handle this?
--
HLS
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html