On Fri, 2005-12-23 at 17:27 -0500, Nathaniel Borenstein wrote: > > Far from trying to "leave only one authorization method," the DKIM > effort is an attempt to show, by example, how an arbitrary number of > such methods might eventually be elaborated and standardized. There is danger viewing any abuse control mechanism as representing a "authorization" scheme. The control method should strive to identify the source of abuse, and not just whether the message has been authorized. The DKIM signature provides a fairly strong indication of the message source, with a normal potential for abusive replay as with any cryptographic method. > It is an attempt to define one method first, as a step towards > defining as many of them as possible/necessary rather than arguing > endlessly over which is best. For most of us, support for DKIM does > NOT imply opposition to any other proposals related to controlling > spam and related ills. A lot of us who have worked on DKIM were > previously active in trying to bridge the gap between SPF and Sender- > ID, and despite the disappointments we'd still like to see that effort > succeed, as well as quite a few other anti-malware ideas and > technologies. Those who envision SPF or Sender-ID as a means to control spam, clearly have not considered the inherent weakness in an "authorization" scheme. Bad actors are adept at adopting any such authorization. Reputation remains the only solution able to abate the bulk of abuse. When reputation is applied against an "authorization" as an identifier, innocent email-address domain owners will be seriously harmed. Abusers will find acceptance methods for an authorization scheme. To abate abuse, name-based identifiers are needed to overcome growing exploits. Reliance upon "authorization" as an abatement control must be avoided as inherently unfair. The DKIM signature can identify the email source, and when considered independent of any email-address, can establish non-disruptive reputation based abatement controls. A verified EHLO can also serve the same purpose. There are drafts and MTA extensions available today to offer this similar low cost solution. If the desire were really to abate abuse, there is no mystery what can help. CSV, BATV, and the base DKIM would be examples of schemes that can identify email sources. Name-based schemes can significantly reduce the amount of spam when coupled with fair reputation assessments. Authorization is clearly not an abatement solution. Authorization should be seen as a method to shift the burden onto the email-address domain owner. The outcome of an authorization strategy in today's shared environments would likely damage the reputation of most email- address domains. The exception may be for the mega-domains less sensitive to reputation assessments simply due to their size. DKIM should be devised to exist without requiring an authorization scheme to handle message replay or unsigned messages. When MTAs and MUAs are designed to recognize the source of email using DKIM signatures, reliance upon authorization (or reputation) for spoofing protection would be unnecessary. Reliance upon visual examination that often involves acquiring every look-alike domain may also become unnecessary. Recognition ability could be rapidly included in the MTA to offer immediate protections for commonly spoofed domains, while avoiding the disruption an "authorization" scheme is sure to cause current email practices. -Doug _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf