-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org [mailto:ietf-dkim-
bounces(_at_)mipassoc(_dot_)org] On Behalf Of Jeff Macdonald
Sent: Friday, October 01, 2010 4:19 PM
To: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] Updated implementation report
On Fri, Oct 1, 2010 at 1:05 PM, Dave CROCKER <dhc(_at_)dcrocker(_dot_)net>
wrote:
On 10/1/2010 9:58 AM, MH Michael Hammer (5304) wrote:
As far as your example of intelligence, your question regarding
"importance" is incomplete. Important to whom and in what context?
Exactly. Please re-apply this point to the current topic...
Note, I didn't say that 3rd party signing was less important generally.
What I wrote (or intended to write) was that my belief is that 1st
party signing represents a higher value proposition to 1st party
signers
than 3rd party signing represents to 3rd party signers.
Oh. Sorry. I didn't get that. It's an interesting idea but I'd want
to hear
it explored quite a lot, since the idea of value is pretty broad. For
example,
if 3rd party signatures allow an ESP to get mail delivered better and,
therefore, to stay in business, I'd be hard-pressed to call DKIM's
'value' lower
than for a first-party signer.
I find this exchange very interesting. I though the value of DKIM was
to provide a stable identifier. I find 1st party signing to be rather
constrained. It seems to defeat the purpose of DKIM. One might as well
resurrect DomainKeys, because it seems to have the same goals as 1st
party signers.
I'd like to propose Author Domain Signatures as signatures that the
author domain authorized. The ATPS and ALS proposals are ways of doing
that. Update ADSP to use this definition instead of "d= matches the
RFC5322:From domain".
I believe this allows everyone to get the best value of DKIM.
I find the exchange interesting as well. Of course the purpose of DKIM is to
provide a stable identifier.... that does not mean that all stable identifiers
should be given the same weight.
Warren Buffet is a stable identifier. Michael Hammer is a stable identifier.
Which stable identifier are you going to give more weight to if the message
associated with the stable identifier relates to investing? Which stable
identifier are you going to give more weight to if the message associated with
the stable identifier is about email authentication?
Context is always important and trying to say that a 3rd party signature/stable
identifier is absolutely no different than a 1st party signature/stable
identifier brings us into Animal Farm territory......
All stable identifiers are equal but some are more equal than others.
There is an inherent difference between a domain signing a message for itself
and a 3rd party signing a message. It may not be stated in the RFC but it is
there nonetheless.
What you are proposing Jeff is a means to delegate signing to a 3rd party by
the first party. That is different than a 3rd party who handled the message
signing on the basis that it handled the message (what we have today). That is,
you wish to add delegated authorization.
The domain is the domain is the domain. 3rd parties may come and go. We do not
know how stable an identifier 3rd party signing is in the wild. It will be good
to have more data points before engaging in this discussion. -
To pick on you a little, if a domain owner uses your approach to authorize
signing by an ESP1, what is the stable identifier we are talking about? Is it
specific to this customer or is it shared across customers? Does the domain
owner understand potential impacts on their reputation (assuming domain based
reputation systems ever get off the ground in our lifetime)?
What happens when the domain owner dumps ESP1 and goes to ESP2? Do they lose
whatever (We assume fantastic) reputation they had? Do they go to square 1 or
are they borrowing/renting reputation from ESP2? If they are borrowing/renting
reputation from ESP2, how do they know that ESP2 isn't using their domains good
reputation to help other not so good senders at ESP2? Diluting the badness so
to speak.
I'm assuming this desire for 3rd party signing to have the same weight as 1st
party signing is somehow related to deliverability and not abuse. I've never
been a big fan of the reputation bandwagon. I view reputation as "What have you
done to me today". We can all sing that tune but not do the dance in spike
heels.
From my perspective, senders generally get the reputation they deserve. It
doesn't matter whether it is IP based or domain based. Mailbox providers are
not stupid. They can see the practices of senders as well as the response of
recipients. Many mailbox providers have better insight then the emitters of
mail streams.
Just a few random thoughts on a Friday afternoon.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html