ietf-mailsig
[Top] [All Lists]

Re: MASS Security Review document

2005-02-05 20:09:56

The information could take the form:

 <opaque-identifier>._rl.<signature-domain>
  or
 <opaque-identifier>._rl.<signature-domain>.<third-party-domain>

Encoding signatures as domain names is not a bad idea, but ...

This mechanism, used together with signatures, should save time and
revenue.  For large domains, not doing so would be a missed opportunity.

This is the Project Lumos fallacy.  I have no interest whatsoever in
distinguishing between a domain's nice users and its nasty users.  I
believe that each domain is responsible for keeping its users in line, and
the reason that signatures are useful is to help me alert domains about
undesirable mail they've sent.  If they send a lot of undesirable mail,
I'm going to reject the whole domain, not do their filtering for them.

Adding the ability for a domain to disclaim signed mail is a really bad
idea, because it pushes the responsiblity off on the innocent recipients
of separating out a domain's spam from its good mail, thereby
reincarnating the spam filtering problem as the recipient signature
complicated checking problem.  If a domain wants to embed tokens in its
mail or its signatures so they can figure out which user was responsible
for what mail that gets complaints, fine, but that's an internal matter
and I don't want to know about it.

Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet 
for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.


<Prev in Thread] Current Thread [Next in Thread>