[ietf-dkim] Not exactly not a threat analysis

Scott Kitterman ietf-dkim at kitterman.com
Tue Aug 23 21:00:27 PDT 2005 

domainkeys-feedbackbase02 at yahoo.com wrote:
> --- Scott Kitterman <ietf-dkim at kitterman.com> wrote:

>>So in your view, what is the accountability entity for a message sent to 
>>you, the MUA/MSA/MTA that signed the message or the MTA that sent you 
>>the message if they aren't the same?
> 
> 
> One definition of accountability might be; which party is best able to stop the
> traffic if you don't want it.
> 
> Is stopping the traffic at a forwarder as useful as stopping the traffic at its
> source?
> 
> I think a well-behaved forwarder is effectively transparent in the
> responsibility chain as they are solely acting on the instructions of the final
> recipient. In a sense, they are about as responsible as your LDA.
> 
> Another definition of accountability might be; who should I sue over the
> traffic? Again, is it as useful to sue the forwarder or is the originator the
> party you really want to take to court?
> 
> Given that forwarders do not create content I would categorize them as
> competent or incompetent rather than responsible or not responsible.
> 
I guess that depends on exactly what we are talking about.  Some 
messages are pretty well inherently abusive while others it depends on 
the context.

If it's a message that has some inherent characteristic that makes it 
abusive (it's fradulent for example), then going to the source makes 
perfect sense.

If it's a message that is not inherently abusive, but unwanted by a 
particular recipient, then I think it's not so clear.  Was the message 
delivered to the recipient that didn't want it because of an action of 
the sender, the receiver, or some third party?  The signature tells you 
nothing about that.

Frankly all this discussion about let's go get the guy that signed the 
message makes me really wonder why I would ever want to sign a message. 
  Back to my hobby horse of the week for a moment, unless you offer a 
benifit to the sender, they won't sign.  To me being able to protect my 
domain name in a deterministic way would be a benifit potentially worth 
taking some risk for.  Getting on a whitelist or being subject to some 
third party proprietary reputation vodoo doesn't get my blood moving.

Scott Kitterman

More information about the ietf-dkim mailing list