On July 21, 2005 at 07:48, "Hallam-Baker, Phillip" wrote:
To repeat: so far, no such constituency
has been evident.
That there is a constituency is very evident, the only debate here is
over the size of the constituency.
Shall we vote? :)
I agree with Mr. Hallam-Baker that there is a constituency, and much
of that constituency may not be directly involved with DKIM. I.e.
There is definite business ventures going on related to what DKIM is
doing, and those ventures are interested in TTP.
IMHO, I think reputation/accreditation is inevitable for DKIM, or
something very similiar to it. Adding the "hooks" for it appear
to very simple to do, so I am not sure why there is resistance to
it.
A common mistake in the development of cryptographic systems is the
assumption that if cryptographic algorithms are used, the system
is secure.
All DKIM currently does is validate a domain's authority over a given
piece of email. That's it. If the domain is friendly or malicious,
this is not addressed. Now, if someone mentions that things like
white/grey/blacklisting can be done, well, you are now dealing with
a reputation system, and such lists are already deployed minus DKIM.
Therefore, as DKIM is now, does it provide any real value? As the
DKIM draft states, there is a hope that it will help deal with spam
and phishing, but I am not fully convinced that it really does anything
effective to deal with these problems.
DKIM does not fully protect sender identity. Jim stated that things
like spoofy will be addressed better in the next revision along with
the sender policy draft, but I have some reservations, but will defer
final judgement until I see them.
It would definitely help the document to provide some real spam/phish
scenarios that DKIM would actually protect against so the value of
DKIM can be better judged by those that are interesting in adopting it.
If "polluting" the document with such information is not desired, maybe
a separate information document can be written.
--ewh