[ietf-dkim] Should DKIM drop SSP?
earl at earlhood.com
Wed Oct 26 21:17:08 PDT 2005
On October 26, 2005 at 19:11, Douglas Otis wrote:
> There are vast numbers of messages legitimately sent by those not
> identified in the From header. Should these messages all be rejected
> or deleted?
> The current SSP prohibition is exclusively based upon the email-
> address found in the From header and is the _only_ means available to
> repudiate messages from Bad Actors.
> The impact of only allowing this the sole choice is significant and bad.
It may help if you can provide example scenarios illustrating
your points. For example:
* Examples of legitimate messages sent by those not identified
in the From header.
* Examples showing how SSPs From-centric approach is bad.
In general, giving examples provide a clearer understanding of the
problem and how the problem can be addressed, especially when
dealing with security issues.
Many discussions are in the abstract, causing at times little progress
being made on a particular topic since people's views of the topic
may not be in sync.
> > that. If BofA can convey to me that no one can use their domain in
> > 2822.From unless authenticated, I'd love to oblige.
> There should be draconian measures made with respect to specific
> domains impacted by phishing when they are willing to endure the
> limitations. A simple mechanism that indicates which domains require
> such protections would be more immediately effective than the
> mechanism currently envisioned for SSP.
Semi-related comment: I think many that advocate a particular solution
use email in a specific manner. I.e. The solution fits well with
how they use email, but it does not fit well with all the legitimate
uses of email. This perspective can blind them from seeing the
problems with the solution being advocated, problems that could even
> > They could care less about the bits involved in
> > implementing DK, DKIM, SPF, Caller-ID, whatever. They care about the
> > consequential outcome and the levers they have to protect themselves.
> At some point, this protection will include making the signing-domain
> visible to the recipient. In the mean time, having DKIM widely
> deployed with a large number of domains asserting that they sign all
> of their mail, then far greater protections can be afford by DKIM.
> Attempts to bind the assertion to the From address will result in
> negative ramifications that will inhibit an otherwise greater number
> of advantageous assertions and deployment of DKIM itself.
I think allowing binding to any OA header field provides better
flexibility as long as these semantics are made clear during
Frank alluded to the possibility that some header fields may need to
be handled a little different to make such a system beneficial.
> All good. But phishing protection will form a poor basis for
> establishing a ubiquitous DKIM signature on all emails. The current
> SSP policy will not allow the typical ISP to sign their email
Please provide an example. Such example may be useful for inclusion
to the threats document or some other document that highlights
barriers to adoption.
More information about the ietf-dkim