On 10/19/11 6:53 AM, Keith Moore wrote:
On Oct 19, 2011, at 8:52 AM, Frank Ellermann wrote:
That RFC 5782 isn't on standards track is actually a disgrace on the
IETF side of "non-research".
That RFC 5782 was published at all is a disgrace. Blacklists based on
IP addresses are an abomination, and DNS is a lousy mechanism for
distributing them.
Also this strategy will fail and will cause disruption when extended to
IPv6 addresses and those translated to IPv4.
With respect to accountability, clients hold services accountable for
satisfying their needs. Without authentication of outbound MTAs,
blocking could be due to malefactor spoofing. Such errors are not the
fault of the blocking service when senders offer nothing else.
The practice of abusive blocking based upon the IP address is largely
due to there being NO practical outbound MTA authentication method.
Accurate accountability requires scalable authentication.
IP address _authorization_ does not authenticate those transmitting the
message. Nor can actions be determined by a signature scheme that omits
both those transmitting the message and their intended recipients.
Accountability must be based upon verified actions.
While example.com may have signed content, DKIM signatures do not
indicate whether example.com acted to send the message to specific
recipients. With many domains sharing the same IP address for their
outbound MTA, authorization should never be construed as verifying that
example.com acted to send the message.
These two schemes ONLY satisfy those domains afforded "too big to block"
status. Everyone else might as well outsource these services to them.
It seems the prevailing attitude is to advance blocking services for
IPv6 by standardizing on rating and reporting methods, while still
neglecting a fair method to authenticate.
-Doug