(Please forgive the HTML - not at my normal desk at the moment.)
Gordon Fecyk <gordonf(_at_)pan-am(_dot_)ca> wrote:
>> From: Hallam-Baker, Phillip [mailto:pbaker(_at_)verisign(_dot_)com
<mailto:pbaker(_at_)verisign(_dot_)com> ]
>
>> But I would certainly accept that we need to change the
>> equation, assume all email guilty until proven innocent.
> I hope you mean that _recipients_ would assume this, as a matter
of
individual choice.
Yep. If you're going to hold me to "The recipient decides," then
hold me to it here, too. As I've noted, I don't want a third-party to
implicitly tell me to treat all senders as suspect until proven otherwise.
> Then it's a matter of how to prove innocence. For me, the
> sender (domain) demonstrating accountability is enough.
> Ah, but what counts as "demonstrating accountability"?
Good question. My idea of demonstrating accountability, at least per
domain, is the domain identifying a sending host as one of theirs. All of
the proposals to date use this approach to let a domain administration
demonstrate accountability. There may be better ways, which is what I
believe we're here to find.
> A lot of the
> largest ISPs have an <abuse> mailbox, which even generates
pleasant-
> sounding autoreplies, but there's considerable controversy whether
> abuse complaints are acted upon...
That's not very accountable, agreed.
I want to be able to complain to a domain in the following escalating
order (this is just my preference): abuse mailbox (if it exists - it's not
required), postmaster mailbox, whois contacts, hosting ISP. From there I
want to refuse mail from the domain if it's unresolved.
I can't do that if the mail claiming to be from a domain isn't really
from the domain, or isn't from a user or host the domain's accountable for.
> > I'd want that demonstrated by the sender (domain) and not by a
third
> > party however.
> I'm afraid I don't understand _how_ a sender you have no
out-of-band
contact with _could_ demonstrate this.
I'd like to think THAT's one of the reasons we're here. To provide a
way for an enterprise to demonstrate e-mail accountability.
> Personally, I'd want multiple third-party evaluations of how
responsive they are to <abuse> reports.
The receiver decides, and I would never fault you for wanting this
kind of information before accepting a domain's mail. I'm not comfortable
with it and I believe it has too-high a barrier to entry for senders. If the
domain administration can tell me directly I'll trust that first. Finding a
way for them to tell me, again, is why I believe we're here.