[Top] [All Lists]

Re: We need an IETF BCP for GREY LISTING

2011-10-19 15:42:09

On 10/19/11 6:53 AM, Keith Moore wrote:
On Oct 19, 2011, at 8:52 AM, Frank Ellermann wrote:

That RFC 5782 isn't on standards track is actually a disgrace on the
IETF side of "non-research".

That RFC 5782 was published at all is a disgrace. Blacklists based on IP addresses are an abomination, and DNS is a lousy mechanism for distributing them.
Also this strategy will fail and will cause disruption when extended to IPv6 addresses and those translated to IPv4.

With respect to accountability, clients hold services accountable for satisfying their needs. Without authentication of outbound MTAs, blocking could be due to malefactor spoofing. Such errors are not the fault of the blocking service when senders offer nothing else.

The practice of abusive blocking based upon the IP address is largely due to there being NO practical outbound MTA authentication method. Accurate accountability requires scalable authentication.

IP address _authorization_ does not authenticate those transmitting the message. Nor can actions be determined by a signature scheme that omits both those transmitting the message and their intended recipients. Accountability must be based upon verified actions.

While may have signed content, DKIM signatures do not indicate whether acted to send the message to specific recipients. With many domains sharing the same IP address for their outbound MTA, authorization should never be construed as verifying that acted to send the message.

These two schemes ONLY satisfy those domains afforded "too big to block" status. Everyone else might as well outsource these services to them. It seems the prevailing attitude is to advance blocking services for IPv6 by standardizing on rating and reporting methods, while still neglecting a fair method to authenticate.