Re: bozoproofing DKIM concerns

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Jan 4, 2006, at 9:59 AM, Dave Crocker wrote:

E> AS I understand it the concern is that people who don't use DKIM
will eventually not be able to send e-mail to people who are using it. I'm not sure that this is something that people should be concerned about, indeed, the logic of this kind of system is that if it succeeds that's exactly what will happen.


Interesting.

I have not heard any DKIM proponent use that logic.

I have, however, heard critics fail to understand the difference between

a) special handling of "good" identities, versus continuing to have suspicious handling of "unknown" identities, and

   b) acceptance of good addresses and rejection of unknown.


The current proposed charter includes both the DKIM signature element that indeed provides a stable identifier. No additional problem should be created as a result of this more stable identifier of which I can foresee.

There is also a proposal to introduce an email-address authorization scheme that transposes the Sender-ID email-addresses with signatures and uses a far more disruptive From header rather than the less disruptive PRA. Will there be a PRA proposal for the SSP header selection soon?

The concern with this authorization scheme is that many email-address domains will likely be coerced into publishing some form of authorization to mitigate the high overhead otherwise imposed by the scheme. The next possible point of coercion would be to restrict authorization to a limited set of signatures which dramatically alters current practices and is inherently unfair. In general, when this authorization is used to accrue reputation as was done with Sender-ID, this imposes an unfair and highly disruptive element into how email functions.


Proponents seek to use DKIM for a), not b).

This mischaracterizes the concern raised significantly.


Critics keep asserting that b) is the only avenue that is possible.


Reputation based upon some identifier is already ubiquitously used to block abusive email. A stronger method of identification does not increase any concern related to 'b' except when applied to the SSP authorization instead of the signature. Even the SSP draft holds the email-address domain that provided the authorization accountable by way of complaints. The authorization scheme introduces a weaker and unfair method of identification.


So, they are wrong that it is the intent and they have no empirical basis for asserting that it is certain or even likely to occur.

There has already been a scheme implemented a major vender that uses authorization as suggested. A minor tweak to widely deploy system and instant problem.

-Doug


_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]