[ietf-dkim] Should DKIM drop SSP?

Stephen Farrell stephen.farrell at cs.tcd.ie
Fri Oct 28 04:30:39 PDT 2005 

Doug,

This thread doesn't really appear to be going anywhere.

Someone earlier asked you to provide examples. Why don't
you do that in a new thread - just an example showing the
worst bad effect you claim but without the extensive
discussion?

Stephen.

Douglas Otis wrote:
> 
> On Oct 26, 2005, at 8:30 PM, Hector Santos wrote:
> 
> 
>> So as a SMTP vendor, I really don't care what your mail is about,  who is
>> from, etc, as long as you are who you say you are and if need be,  you 
>> can be
>> contacted and/or mail can be returned (bounce).  In other words,  
>> "play by
>> the rules" of the transport and email system.
> 
> 
> Fortunately, the policies established by the recipient can be much  
> stronger than those established by the government or SMTP vendors.   
> Playing by the rules should include not sending unsolicited bulk email.
> 
> 
>> So to me, DKIM with a strong SSP checking concept, provides another  
>> level of
>> transaction consistency checking that may be used by the SMTP-DATA or
>> POST-SMTP process to perform a final PAYLOAD check.  I don't  believe 
>> this
>> checking should include a "REPUTATION" concept at this level.  I  
>> think "DKIM
>> signing consistency" is the key goal.
> 
> 
> I am not against the repudiation aspect of non-signed messages. The  
> objection results from not considering which domain introduced the  
> message.  The current SSP is not compatible with current email  
> practices and aimed specifically at establishing unfair reputation  
> assessments on email-address domains, rather than signing-domains.   Ask 
> yourself why SSP precludes a signature that is is not bound to  some 
> email-address.  There could still be assertions that all servers  within 
> a domain signs all messages.  See I-D.crocker-csv-csa-00 for  an example.
> 
> 
>> In all cases, it is about verification of the transport process  
>> entities and
>> since we lack this with the current SMTP protocol, augmenting it  with 
>> DKIM
>> should at the very least be strongly offer a consistency model, not  a 
>> weak
>> one.
> 
> 
> DKIM should identify the domain associated with the email message  
> transport.  It is over-reaching, to say the least, when attempting to  
> use this mechanism to verify the author of the message.  Leave that  
> effort to OpenPGP and S/MIME.  By establishing the accountable  domain, 
> abuse can be handled in a more efficient manner than it is  today.  This 
> would also afford opportunistic identifications akin to  that used with 
> SSH.   I don't think this aspect has been given any  consideration.
> 
> -Doug _______________________________________________
> ietf-dkim mailing list
> http://dkim.org
> 
>

More information about the ietf-dkim mailing list