[ietf-dkim] Re: dkim.org (mipassoc.org/dkim) web page updated

Scott Kitterman ietf-dkim at kitterman.com
Mon Nov 7 21:37:00 PST 2005 

On Mon, 7 Nov 2005 19:01:40 -0800 Douglas Otis <dotis at mail-abuse.org> wrote:
>
>On Nov 7, 2005, at 6:24 PM, Scott Kitterman wrote:
>
>> On 11/07/2005 20:37, Douglas Otis wrote:
>>
>>> DKIM without SSP can be better than with SSP.  Take out the SSP
>>> approach, and there should be fewer concerns with respect to
>>> potential impact, while there would not be any benefit lost.  If
>>> anything there would be greater benefits as this approach offers more
>>> information without incurring additional overhead.
>>
>> I've no doubt that DKIM without SSP would be better for providers  
>> of large
>> scale commercial reputation services.  It would be pretty useless  
>> for me.
>
>DKIM without SSP provides an ability for Name-based white-listing of  
>transports.  Name-based white-listing/reputation would not be prone  
>to IP address exploits.  Filtering programs would have a verifiable  
>source for a message to permit a significant reduction in related  
>errors.  If there was abuse, there would be a verified name for  
>addressing complaints.  Why would that be useless for you?
>
It's not so much that it would be useless, just not worth the trouble.  For 
the mail my domains send/receive there are other more widely deployed 
technologies (doesn't really matter what, debating their merits is off 
topic for this list) that give me a decent name basis for whitelisting.  
It's not a hole in my arsenal that I have a serious need to fill (others 
will be in different situations, I know).

For reputation systems, I've little interest.  I'm a very small business 
and so the type of large scale systems you've described as being necessary 
for rapid/effective reputation are out of reach.  Honestly Spamassassin 
does well enough for me and it's not clear segregating reputation into a 
separate set of heuristics will produce a more reliable end result.  So, in 
short I doubt more heuristics will make things better and I can't afford 
them anyway.

>What major benefit do you expect?
>
I assume DKIM is going to happen one way or another.  So, SSP would provide 
a deterministic way for mail receivers to reject certain messages.  This 
will help me defend the reputation of my domains.  It will also perhaps 
provide some reduction in the risk that my domains' users will get phished 
(none of them use an MUA that only displays the pretty name).

In other words, what companies like yours intend to sell, I'm not buying.  
BTW, if you do succeed and kill SSP, I'm still not buying.  I just go and 
work on another solution.  The way I read the message from E-bay that was 
recently sent to the list, SSP is what they're looking for too.

This isn't to say I think SSP is done.  I dont't.  That's part of the work 
of the working group.

Scott K

More information about the ietf-dkim mailing list