On 6/21/10 12:00 PM, John R. Levine wrote:
As threatened, here's an I-D that says how one would publish a list
of domains for which it makes sense to discard unsigned mail.
Since I'm a big fan of running code, you can find such a list at
drop.services.net of domains that (in my opinion at least) sign all
their mail with DK or DKIM, and for whom it makes sense to drop
unsigned mail.
John,
What motivates using two domains in a query, which still excludes the
relationship between the author-domain and third-party service? The
tpa-label scheme is informative of a specific relationship between
author-domain and third-party service, thereby allowing responses for
specific threats and requirements of the author domain. Why not allow a
means for domains to indicate they don't use some social network,
without making the third-party service unusable for any other domain?
A vouching (reputation) service that protects against spoofing using the
vbr structure will likely confront difficult to resolve administrative
problems. Thresholds for blocking a domain will likely cause collateral
losses for other domains not normally phished when other domains are
being heavily phished. Because DKIM signatures can be replayed,
including ancillary conditions, such as requiring an List-ID or Sender
header, better isolates poorly vetted messages without users seeing
different email domains used. Of course, these headers depend upon the
relationship between the third-party service and the author-domain. The
tpa-label scheme allows selective inclusion of other header requirements
based upon the author-domain. This information allows recipients to
depend upon these headers when sorting messages having different levels
of vetting. If these specific relationships are not met, the message
would be refused.
IMHO, it would be less problematic to use the tpa-label mechanism to
make this type of query. The tpa-label scheme has been improved by
isolating the hash labels.
Unlike vbr, the tpa-label has less of an impact on the usable domain
name. Allowable maximums are not reduced by the size of vouching domain
and _vouch label. With tpa-labels, a vouching service can handle a
domain size up to 241 characters. When a domain provides their own vbr
vouching service, the maximal domain size may be a maximum length of 122
characters. This smaller size may not work well for international
domain names. The added reference size of vbr also displaces
information bound by a DNS response limit, and results in more of cache
being consumed as well, while still omitting information specific to the
third-party service and the author domain.
With tpa-labels, a signer can utilize a vouching service by delegating
their _tpa zone, or by using DNAME at this node. Domains can also self
publish their own exception criteria in a manner transparent to recipients.
In addition, except for the indirection and extra transaction, there
does not appear to be a significant difference between discard by
reference and ADSP dkim=discardable?
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html