[ietf-dkim] DKIM charter (Should DKIM directly prevent spoofing?)
dotis at mail-abuse.org
Tue Nov 15 17:58:23 PST 2005
On Nov 15, 2005, at 2:55 PM, Stephen Farrell wrote:
> Dave Crocker wrote:
>> 5. At some point, the question becomes one of worrying about
> > the DOS potential of your constantly posting lengthy notes
> > that regurgitate the same points that continue to fail to
> > gain support.
I have a tendency to delve too deeply, and I will attempt to curtail
this as best I can.
>> But, of course, that is just my own perspective.
> (No Dave, I'm fairly sure that others share your perspective:-)
> Doug, the charter as-is does have the required support to go
> forward. There's nothing to be achieved by trying for the
> changes you'd like at this stage. My bet is that those changes
> just won't happen given the where the consensus lies.
You could be right, but let's not skip over a rather important
discussion. I have no desire to disrupt progress.
This issue has not been well explored, and indeed remains a topic
that exists mostly under the surface. Much of the SSP effort was
done off the mailing-list. Even rather startling changes related to
multiple From email-addresses were added before discussion on the
mailing-list. Indeed, these last minute changes were not reviewed at
the BoF. Anticipating email-address constraints resulting from
proposed changes _should_ be explored. The charter unfortunately
seems to have reached a conclusion that the email-address will be
bound to what is essentially the MTA to MTA transport. : (
When the From email-address is considered to be independent of the
signing-domain, then best practices would allow a mailing-list to add
their signature without other changes. MUAs and Mailing-list
applications could continue to function as expected. Rather than
discovering the IP addresses used by mailing-list servers as
suggested, their signature could be used instead. Accountability
could be retained at the signing-domain.
Should DKIM be expected to directly prevent the misuse of a From
email-address? There should be little doubt that email filters will
independently ascertain domains experiencing spoofing exploits and
offer the needed constraints which will include much more than just
the From email-address. Over time, DKIM aware MDAs/MUAs will make
this effort unneeded. However, when these likely inadequate From
email-address constraints are seen as the norm, then a major and
expensive transformation in the way email works will occur.
Seeing this as the issue, I wish to disagree with Dave about what is
being said within the charter.
>> 1. The charter does not constrain email addresses.
The first two sentences of the charter:
| The Internet mail protocols and infrastructure allow mail sent
| from one domain to purport to be from another. While there are
| sometimes legitimate reasons for doing this, it has become a
| source of general confusion, as well as a mechanism for fraud
| and for distribution of spam (when done illegitimately, it's
| called "spoofing").
"sent from one domain to purport to be from another" refers to email-
This paragraph concludes with:
| ... and to publish "policy" information about how it applies those
| signatures. Taken together, these will assist receiving domains in
| detecting (or ruling out) certain forms of spoofing as it pertains
| to the signing domain.
Detecting a spoof of course _clearly_ refers to email-address
>> 2. Dkim does not create or specify any inherent email address
Should DKIM be specifying email-address constraints and directly
detecting spoofed email-addresses? This is a critical decision with
far reaching ramifications. This effort would only change the nature
>> 3. An IETF wg charter specifies near-term activities, not long term.
While indeed work would be near-term, goals should be appropriate
More information about the ietf-dkim