Folks,
Once one has validated (authenticated) a signature, the fun really begins: The
agent doing the authentication gets to *use* the validated identity for
performing some sort of assessment, such as whether the validated identity is a
"safe" sender of email.
Under the general category of identity "assessment", there already are multiple
groups publishing reports and it appears that the numbers will grow.
Terminology for this topic has not yet stabilized and some terms are even used
ambiguously, but some consistent usage is emerging:
A simple partitioning is between
1. those publishers who assess historical behavior, making statements about
the "reputation" of the signer, and
2. those who work with the signer to ensure that the signer conforms to
standards that are specified and enforced by the agent publishing the
assessment; this is called "accreditation".
One view of DKIM is that its sole, near-term purpose is to provide an accurate
and reliable identity to be assessed. However DKIM, itself, is not designed to
perform or report assessments.
Still, there is clearly group interest in considering at least the relationship
between DKIM and assessment mechanisms that might use it, and possibly to
specify some aspect of DKIM usage with these mechanisms.
In that context, some obvious questions are:
What support for assessment mechanisms is required for the core DKIM mechanism?
What support for extensible support (and, yes, that's recursive) of assessments
is needed?
Other questions are encouraged.
d/
---
Dave Crocker
Brandenburg InternetWorking
+1.408.246.8253
dcrocker a t ...
WE'VE MOVED to: www.bbiw.net