On 7/28/11 2:03 PM, Mark Delany wrote:
DKIM should be viewed as a Work-In-Progress still missing a viable
policy layer.
+1. But 5+ years WIP? :) It wasn't rocket science.
Well, 7+ years ago it was suggested that "Domain policy is nascent"
with the stated expectation that MARID would soon develop something
comprehensive to satisfy our needs...
Apropos rocket science, at our current rate of progress we risk
outliving the Space Shuttle program.
MARID offered unsafe chained record sets as an IP address authorization
scheme unrelated to what people were observing. Where IPv6 increases
the aggregate list and where DSNSEC increases the amplification, risks
to otherwise uninvolved sites increase with this scheme. Vetting
messages prior to acceptance likely plays a greater role in lessening
MTA burdens anyway.
Open-ended third-party relationships from a policy perspective may seem
difficult to express, but it remains possible, whether by the domain or
as a service, to acknowledge these relationships. An authenticated
domain can be authorized by a published hash label. This would be a
safe method to extend policy without requisite two party coordination as
currently expected by DKIM.
DKIM can be more than just making an assertion "this domain is too big
to block." With comprehensive policy, DKIM should be able to prevent
spoofing of a domain that may cause recipients to give up on the
service. Until policy can be comprehensively applied, other
authentication related benefits will likely remain elusive.
Of course, such a goal must include proper input validation by DKIM.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html