On Tue, 2005-02-15 at 19:55 -0500, John R Levine wrote:
When the HELO is within the Signature-domain, there should be no need to
check for account revocation
Now I don't understand your proposal at all. I was under the impression
that scenario is a that a domain has a lot of users, some of whom may
misbehave, and revocation would be a way to disclaim naughty mail
retroactively. I see no reason why the naughty users wouldn't be using
the same channel as everyone else.
When the HELO is authenticated and is within the Signature-domain, a
query for a revocation record should be redundant. Had the account been
revoked, it should not be possible for the account in question to send
through the signing domain's servers.
Concerns regarding "replay" would be from servers beyond the control of
the signing domain. Allowances to permit the forwarding of mail, as
example, would be where infrequent use of a revocation check would be
desired and most valuable. Use of the revocation-identifier thus
permits the same freedoms now enjoyed by unsigned mail, while enabling
the defense of the signature's reputation.
The domain's signature with either an authenticated HELO or a revocation
check would assure the recipient that the signing domain's policies are
in effect, which should include the quick response to reports of abuse.
("Cut off the spammer's oxygen supply" as Carl would say. : )
Responding to a signed abuse report that includes the
revocation-identifier (and a tally) should be easier than for those of
an unsigned message. Correlating abuse data and obtaining
acknowledgment of cancellation also becomes a simpler matter for a
reporting bureau, when there are revocation-identifiers. The
revocation-record ensures signed messages identified originating from an
abusive account are not trickled through other domains for the duration
of the domain key, and thereby damaging the reputation of the
signature.
Only for cases where the HELO and Signature are not coincident
Why do you assume a message from, say, a Comcast user wouldn't be subject
to hostile replay by another Comcast user
The more I hear about this, the more I see a problem masquerading as a
solution in search of a problem.
It is a matter of how to judge what policies are in place for the
message being received. By being able to rely upon the signature, an
assurance of these policies can be established, and this assurance adds
a great deal of value to the signature. Being able to defend these
policies is not a solution in search of a problem, rather it is a
problem, noted in the review, in search for a solution.
If Comcast applied their signature together with a persistent
revocation-identifier, then spam originating from a different account
would need to be confronted as well. If abuse did occur, Comcast could
cancel these accounts in question. With the revocation-identifier and
the published revocation record, Comcast would be sure no recipient
relying upon their signature would continue seeing these messages after
the abuse was detected and the account had been canceled.
Without the revocation-identifier, even with extensive white-listing,
those domains white-listed could be used to promulgate signed spam
without much to deter this activity. The revocation-identifier does not
require every server to always apply their own signature. Without this
mechanism, it would only require a few accounts expended per year in
which to enable a continuous stream of spam bearing another domain's
signature, driving the value of these signature into the ground.
-Doug