[ietf-dkim] Review of draft-fenton-dkim-threats-01

[Eliot Lear]

Eric,

> I'm not sure if that argument requires a plan to build a reputation
> system. However, if the argument is going to be such that a reputation
> system is required, then, considering that that's probably the
> hard bit, I would tend to think that such a plan would be useful, no?

Useful?  Yes.  Is it something the IETF should do?  I doubt it.  It 
strikes me that is the province of vendors at this point.  After all, 
what would the IETF standardize right now?  A mother-may-I protocol? 
How would it differ from a DBL?  Is this something SOMEBODY should do? 
Absolutely.  And we know it will be done because it is being done already.

But let me also say that even without reputation the system is still 
useful in stopping phishing attacks.  So much so that you recently saw a 
note from folks at ebay explaining why this would be useful to them even 
if a reputation system was never developed.

Eliot