[ietf-dkim] DKIM SSP: Security vulnerability when SSP record
does not exist?
Scott Kitterman
ietf-dkim at kitterman.com
Sun Aug 21 10:35:02 PDT 2005
Douglas Otis wrote:
> By industry, I am referring to institutions and companies who depend
> upon email to conduct business. Email is suffering with protocols that
> currently do not offer effective means for locating and preventing the
> repetitions of abusive behavior.
Thanks for clearing that up, I was afraid for a moment that the industry
you were saying would benifit would be the industry of companies
peddling anti-spam solutions. I'm glad that's not the case.
This also, I think, brings to light an important reason for the
divergence in our perspectives. I believe that you are saying that you
think DKIM's usefulness is primarily in supporting reliable name based
reporting so that repetition of abuse can be more effectively prevented.
If I got that right, then I understand why you are only interested in
the signature piece of DKIM.
Personally, from my perspective as a receiver, I have little interest in
cleaning the mess up after the fact. Although such post-facto reporting
mechanisms are useful in raising the marginal cost of abusive behaviour,
they aren't that helpful in stopping abusive mail getting sent. The
abuser just pops up elsewhere.
As a receiver, MY primary interest in technologies such as DKIM is as a
method to prevent abusive mail from being delivered in the first place.
I want to reject it before I ever take responsibility for it.
Assuming I understood what you are saying here, I think you are trying
to solve a problem that I personally have very little interest in. I am
curious if I'm alone in that regard? If that's all DKIM is for, then
I've got better ways to spend my spare time.
Thanks,
Scott Kitterman
More information about the ietf-dkim
mailing list