Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion

On 5/10/10 4:50 PM, John R. Levine wrote:
> > > No, all it says is "we signed this mail."  A signer with a good
> > > reputation will presumably rarely sign mail where the From: address
> > > actively misidentifies the sender, but that's a second order effect.
> > >        
> > Right, and because the domain owner has signed the email, they can be held
> > responsible for abuse. At least, to a greater extent than when the mail
> > hasn't touched any system that they have any control over.
> >      
> It is certainly reasonable to say that the signer has a good reputation,
> so we will accept his mail.  But that's different from saying that the
> signer has a good reputation, so the From: address must be "real".
>    
Agreed.

For those looking for some hybrid scheme, it should be noted SPF does 
not authenticate originating domains.  Domain reputation based upon SPF 
authorization is prone to exploitation, since many domains share common 
servers.  Ambiguities caused by shared IP address authorization makes it 
impractical to respond effectively by name.  In addition, 
Authentication-Results headers fail to capture the IP addresses of 
servers publicly issuing messages (over port 25) which also impairs IP 
address reputation checks of transactions handled by third-parties, such 
as mailing-lists.
> > > Once again, this sounds like a solution searching for a problem.  I've
> > > done the occasional bozofiltering in mailing lists, but because the
> > > people were bozos, not spammers.
> > >        
> > The problem is reputation assignment. Different recipients (of mail from the
> > same list) will have different views of the sender's reputation.
> >
> > But, the problem is real, and recognised. Mailing lists break signatures.
> >      
> It is certainly a fact that mailing lists break signatures.  But there are
> differences of opinion whether it's a problem.  Although I've seen plenty
> of assertions that it's a problem, we're a bit thin with real life as
> opposed to hypothetical scenarios where the broken signature leads to bad
> results.
>
> The only one I've seen so far is the ADSP+list ->  lost or rejected mail.
> I would say that is misuse of ADSP, not a list problem, since we were
> quite aware of it and in Appendix B of RFC 5617 we say not to do that.
>    
The intended use of restrictive ADSP is to allow domains a means to 
limit acceptance of potentially misleading messages.   When is it okay 
for a trusted entity to permit acceptance of potentially misleading 
messages, and wouldn't use of additional domains lead to recipient 
confusion and invite more abuse?

Email reputation checks seldom reflect whether some From email addresses 
might be misused.  Use of DKIM in conjunction with a domain specific 
third-party authorization mechanism provides domains an effective means 
to better protect their recipients.  Lacking a domain specific 
third-party authorization scheme makes ADSP unsuitable for most 
domains.  Abuse is not limited to just transactional messages.  Being 
limited to transactional messages affords too little coverage to foster 
broad adoption.

-Doug
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html