[ietf-dkim] Review of draft-fenton-dkim-threats-01

[Eric Rescorla]

Eliot Lear <lear at cisco.com> writes:

> Eric,
>
>> I'm not sure if that argument requires a plan to build a reputation
>> system. However, if the argument is going to be such that a reputation
>> system is required, then, considering that that's probably the
>> hard bit, I would tend to think that such a plan would be useful, no?
>
> Useful?  Yes.  Is it something the IETF should do?  I doubt it.  It
> strikes me that is the province of vendors at this point. After all,
> what would the IETF standardize right now?  A mother-may-I protocol?
> How would it differ from a DBL? 

All good questions, but to the extent to which DKIM's usefulness
depends on the answers, I think they need to be addressed first.


> Is this something SOMEBODY should do?
> Absolutely.  And we know it will be done because it is being done
> already.

By whom?


> But let me also say that even without reputation the system is still
> useful in stopping phishing attacks.  So much so that you recently saw
> a note from folks at ebay explaining why this would be useful to them
> even if a reputation system was never developed.

I understand that people believe this to be the case. However, given
that phishing basically depends on either domain name confusion or
domain name hijacking, I don't consider that there have been 
particularly strong arguments made for why it would in fact
help (this goes back to my comments on the draft).

-Ekr