[ietf-dkim] Not exactly not a threat analysis
ietf-dkim at kitterman.com
Tue Aug 23 21:00:27 PDT 2005
domainkeys-feedbackbase02 at yahoo.com wrote:
> --- Scott Kitterman <ietf-dkim at kitterman.com> wrote:
>>So in your view, what is the accountability entity for a message sent to
>>you, the MUA/MSA/MTA that signed the message or the MTA that sent you
>>the message if they aren't the same?
> One definition of accountability might be; which party is best able to stop the
> traffic if you don't want it.
> Is stopping the traffic at a forwarder as useful as stopping the traffic at its
> I think a well-behaved forwarder is effectively transparent in the
> responsibility chain as they are solely acting on the instructions of the final
> recipient. In a sense, they are about as responsible as your LDA.
> Another definition of accountability might be; who should I sue over the
> traffic? Again, is it as useful to sue the forwarder or is the originator the
> party you really want to take to court?
> Given that forwarders do not create content I would categorize them as
> competent or incompetent rather than responsible or not responsible.
I guess that depends on exactly what we are talking about. Some
messages are pretty well inherently abusive while others it depends on
If it's a message that has some inherent characteristic that makes it
abusive (it's fradulent for example), then going to the source makes
If it's a message that is not inherently abusive, but unwanted by a
particular recipient, then I think it's not so clear. Was the message
delivered to the recipient that didn't want it because of an action of
the sender, the receiver, or some third party? The signature tells you
nothing about that.
Frankly all this discussion about let's go get the guy that signed the
message makes me really wonder why I would ever want to sign a message.
Back to my hobby horse of the week for a moment, unless you offer a
benifit to the sender, they won't sign. To me being able to protect my
domain name in a deterministic way would be a benifit potentially worth
taking some risk for. Getting on a whitelist or being subject to some
third party proprietary reputation vodoo doesn't get my blood moving.
More information about the ietf-dkim