It is also worth noting that the lack of effectiveness of this, or
any other, signature scheme is also going to cause deployment
problems in and of itself. This in turn means that we need to start
considering how to attach meaning to domain identities sooner rather
than later, e.g. by devising some form of accreditation mechanism.
No kidding. I set up the IAR (identity, accreditation, and
reputation) subgroup of the ASRG exactly so people could start hashing
out some possibilities, and I'm chronically baffled that there so
little apparent interest. We've had one proposal for a system that
does a custom UDP transaction that seems technically sound, Cloudmark
was trying a DNS based thing that I can't find on their web site any
more, and I presume that MAPS has something in the works.
It seems rather obvious to me that mail system users are going to be a
lot better off if there is a small set of standard interfaces to
reputation systems, like there is to DNSBLs, so you can plug any
reputation system into any MTA. But I've seen surprisingly little
effort to work on that problem.