[ietf-dkim] Purpose and sequence for DKIM specificationand deployment

[Douglas Otis]

On Aug 29, 2005, at 4:48 PM, Earl Hood wrote:

> On August 29, 2005 at 13:00, Douglas Otis wrote:
>
>
>> I would rather see clearly defined goals rather than attractive
>> phrases that appear to promise everything.  Attempts to define the
>> relationship of providers with mailbox-address will be highly
>> disruptive and should be avoided.  To provide a uniform level of
>> protection, an opaque identifier should be added by the accountable
>> domain.  This permits indirect methods to abate message replay abuse,
>> author forgery, and unauthorized access.
>>
>
> I'm unsure how effective the opaque ID will deal with replay abuse,
> but it appears to still have value for other security concerns.
> For example, by the time a replay is detected and the a revocation
> records is added to DNS, the damage is probably already done.

I took the view of those running an abuse reporting service.  Often  
there is unintended abuse occurring that can be handled in a  
reasonably short time frame.  The expiry of the signature could be in  
days where the response to abuse becomes far more difficult to track,  
and also more profitable for the abuser.  Being able to curtail abuse  
within a reasonable time frame would occupy far less time for all  
involved.  In addition, the revocation mechanism itself can serve as  
an immediate confirmation of problem resolution.  There of course is  
the other benefit found when correlating the source of abuse which  
offers the domain administrator more concise information.  The abuse  
can be complied and would not need to be sorted for clues of where  
the message originated from within the domain.

-Doug