spf-discuss
[Top] [All Lists]

Re: possibilities for 2822

2005-08-23 21:17:47
Hector Santos wrote:
 
Dave + Ned + Eric is impressive.
 
Ha! :-)

Hm, I know that you have your differences with Dave and Keith
and Bruce and John, but if you now also add Ned and Eric all
living e-mail-authorities are "out".  Better don't do that ;-)

Eric's summary yesterday on the DKIM list was very
interesting:
 
What did you find interesting?  Didn't impress me

Next I said in the quoted article was:

| But I still don't see the "why" in comparison with other
| ideas.

BTW, I also liked your SSP tables.  Three days later, I read
the complete (long) thread with Scott and Doug, plus what
Keith said.  Finally I'm beginning to see the light.

DKIM allows arbitrary parties to sign whatever they like.
Any "DKIM PASS" has the decent charme of an "SPF PASS", it
means absolutely nothing, unless you know the signing party.

And what DKIM signs can be completely bogus, the signer only
promises "that's how I got it, whatever it might be".  It
can be spam, it (headers selected by h=...) can be forged.

Otherwise DKIM, as I proved, is waste of time and in fact
can cause MORE HARM

I don't see any "more harm", but "waste of time" is possible.

For naive users thinking that "PASS" has any value of its own
it could be harmful, a DKIM PASS isn't better than a SPF PASS.

It has become faily obvious what is really going on there is
to get DKIM accepted as an isolated weak signal protocol so
that CSV, DNA can be the next "incremental" steps.

A DKIM PASS from a known trustworthy party has some meaning.
Without "reputation" / trust it's pretty useless, spammers
can create a DKIM PASS almost as easy as a SPF PASS.

Actually a SPF PASS has one feature that a DKIM PASS doesn't
have:  You can simply challenge an unknown SPF PASS.  Whatever
the effect might be, it won't hit an innocent bystander.  So
SPF PASS has value without complex "reputation" solutions, a
white list is good enough.

For an unknown DKIM PASS all you have is a domain (or i=) for
abuse reports that won't hit innocent bystanders.  That's in
fact not very impressive.  If you couple it with "Senderbase"
like Ironport it's probably more interesting.  Ordinary users
will hate DKIM, tons of worthless obscure header fields.  Bye



<Prev in Thread] Current Thread [Next in Thread>