From: Peterson, Jon
Sent: Sunday, October 17, 2004 3:35 AM
<...>
Those sorts of nits aside, I think I futhermore agree with the
substance of your mail: that if there is a question in MASS that
has not been addressed before, it is how a messaging system can
answer your second question above. I also agree that using
domain-based assertions rather than user-based assertions is
reasonable (it's what we decided to do for SIP, eventually).
Yes, I believe we are in agreement. Even though the assertion is
domain-based, a domain still _could_ assert somewhere, perhaps in their
published sender policy, that they _do_ control the use of user identities
within their domain and a positive verification validates both the domain
and the local-part. Since most domains don't do this today, that would be
useful information for a recipient. Unfortunately, it is hard to imagine
how a reputation system could deal with this in a meaningful way. Many
domains would like to make this assertion, even if it isn't true, to appear
to be well-run and to give recipients more confidence in the communication.
For example, when you get a message from a company's purchasing department
giving you a purchase order number for a previous quote, you can have some
confidence it is really from people within the corporation who appear to
have the authority to give you this authorization.
The one mechanism that might stop domains from falsely making that claim
might be legal liability. We would need the opinion of a lawyer on this,
but here's a scenario that might get a corporate counsel's attention. A
company publishes a sending policy that stated they control the use of user
identities within the domain but doesn't actually do this. A disgruntled
employee writes an email forging the CEO's user name and makes a substantial
financial commitment on behalf of the company. The recipient of such a
message would seem to have pretty reasonable grounds to trust that message,
act on it and hold the company to specific performance according to the
email. This is a liability that not many companies would want, if it is
actionable.
At least in the American legal system, _anything_ is actionable, whether
justified or not, and the other party has to defend itself with little
chance of recovering its legal fees, even if they win. Hence, the endless
chain of suits and counter-suits to give people something to bargain with
(I'll drop my frivolous claim if you'll drop yours). Still, getting sued
under our system normally means you are out some money, whether you have
done anything wrong or not, and defendants are often pragmatically
encouraged to settle though an action may be groundless. I do know that in
the American system,
If an assertion that a domain controls user names actually implies any real
liability, companies would only make that assertion if they really could
accomplish it. Either that or no-one would make the assertion, since the
counsel's job is to minimize liability, even if it affects business. As I
said, it would be nice to hear from a lawyer or two on this, or anyone on
the list who has knowledge of the legal status of email in any particular
jurisdictions, before considering that as a possible sender assertion.
I do think it is worth documenting and analyzing the varieties of more
specific assertions of identity as well, because, if nothing else, it
exposes elements of the problem space that help us to make design
decisions.
Yes, some discussion about the tradeoffs of making and validating different
levels of identity assertion would be useful.
--
Seth Goodman