On Dec 27, 2005, at 7:33 AM, Nathaniel Borenstein wrote:
I'm sorry, the "authorization method" was an echo of the term used
in the mail I was replying to (which is why it was in quotes). I
was really trying to generalize to a whole range of technologies
without making my wording too awkward. Perhaps I should have
replaced "such methods" with "antimalware technologies" or "abuse
control mechanisms." In any event, I fully agree that the term
authorization, in this context, is both A) insufficiently
generalized, and B) troublesome on countless philosophical grounds.
The response was specifically against the use of "authorization."
With respect to SPF/Sender-ID or SSP, these are indeed email-address
"authorization" schemes. With Sender-ID, "authorization" has been
incorrectly described as form of "authentication", and much like
Sender-ID, SSP appeared more by way of introduction rather than
discussion. All of these "authorization" schemes, especially SSP,
will disrupt the delivery of legitimate email. This "authorization"
scheme also proposes untold numbers of DNS lookups for perhaps any
number of From addresses and signatures. The art of "open-ended
authorizations" (burden shifting) in SSP will soon include
"authorized" signature lists. SSP also considers itself a "weak"
form of "authentication" by directing complaints to email-address
rather than the signer. : (
Reputation remains the only solution able to abate the bulk of abuse.
The word "only" makes me cringe a bit in any discussion like this
(a global fascist state, for example, is another possible
solution), but I think most of us pretty much agree about the
critical role of reputation.
Some view a closed system, rather than a system open to tens of
millions of email-address domains, as an alternative to reputation.
Even in that austere system however, each would consider their access
contingent upon their reputation for good behavior. Reputation is an
unpleasant reality where identifying those culpable for abuse _must_
_not_ be taken lightly.
I see the cycle as going like this: We need at least one
standardized, moderately-useful system for weakly authenticating
the sources of messages.
I see the base DKIM draft forming a solid basis to identify email
sources. The ill considered SSP draft will seriously hinder the DKIM
effort. Serious problems are already being handled by way of burden-
shifting, rather than considering real solutions. The related
expense associated with an imposition of a disruptive email-address
authorization scheme does not justify this component's inclusion
within the DKIM charter. With far less overhead, spoofing attempts
can be thwarted without email-address authorizations. Many of the
serious crimes depend upon embedded links rather than use of an email-
address (which are never seen by the majority of recipients). A
solid basis for the source of an email-address will significantly
enhance protective strategies. It is a dangerously false premise
that an authorization scheme offers protection, as any assurance in
that regard will increase the success rate of criminal fraud.
Once we have that, we have the minimal data that a reputation
system will require to be able to start doing something at least
mildly useful.
Please note authentication does _not_ include SSP.
Once we have *that*, we will have (in our reputation systems) a
built in "market" for additional systems for (perhaps less weakly)
authenticating the desirability (not necessarily solely due to the
source) of incoming messages. To some extent, there's a chicken-
and-egg problem with authentication and reputation technologies.
My hope for DKIM is that it will give us one good enough egg to
produce a chicken, which can then (in much the manner that Cain and
Abel found their wives, I guess) facilitate a whole new generation
of authentication technology eggs.
Agreed. Do not let the ill conceived SSP derail DKIM.
When reputation is applied against an "authorization" as an
identifier, innocent email-address domain owners will be seriously
harmed. Abusers will find acceptance methods for an authorization
scheme.
Yes, every one of these schemes will be flawed. That is why we
need to understand A) the role of "weak authentication" (weeding
out some but not all of the bad guys at any point in time, and
using multiple sources of information to judge the desirability of
a message) and B) the need for a continually evolving set of (ever-
stronger, we hope) mechanisms for proving that a message is
desirable to the recipient. Some of those mechanisms will also
involve (ever-stronger, we hope) sender authentication, but others
could eventually involve technologies as unrelated to
authentication as anonymous payment.
To ensure email does not self-destruct, use of reputation against
authorizations _must_ be avoided as imposing highly unfair treatment,
even when email practices adapt to new paradigms. When governments
start issuing digital postage stamps, knowing the source of the email
message remains important. The recognition of these sources is
beyond visual examination that can _not_ be aided by an authorization
scheme. MUAs will need to assist in the recognition efforts. DKIM
and recognition, but not authorization!
-Doug
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf