[ietf-dkim] Re: Domain Ownership
nobody at xyzzy.claranet.de
Sat Nov 26 01:50:27 PST 2005
Douglas Otis wrote:
> Sending messages where the From header field indicates the
> message's author is not exploiting or abusing the domain of
> the author's email-address.
In that caae you have a Sender or Resent-* header field with
a "Purported Responsible Address", or it's a mailing list, or
something behind a news2mail (or similar) gateway, or it's a
submission to the moderators of a newsgroup.
That's a complete enumeration of all "allowed" possibilities,
isn't it ? Please add any missing special cases.
> This SSP approach retreats to a point in time where there
> were but a few TLDs and just one character-set.
Let's ignore IMA / IEE for the moment, that won't fly in 2006,
and they'll offer some IMA-to-282 mechanism.
> An authorization scheme like SSP opens the door for unfair
> coercion, which shift the burden onto an often hapless
> email-address domain owner.
It's fair if they know what they are doing with their "PRA",
and what they can't do with it after they bound it to a SSP.
Worst case, it won't work with some mailing lists / newsgroups.
If they know this they'll stay away from these lists / groups.
That's not "unfair", it's simply that you can't have your cake
and eat it too.
Same idea as SPF FAIL and 1123 5.3.6(a): Don't use a policy
if you're unwilling to bear its specified consequences.
> While this may seem ideal for some providers, SSP breaks
> many things and reduces freedoms while offering little of
> redeeming value.
How valuable this is will be the decision of the domain owner.
You always lose some freedom for more security. Obviously "my"
decision to get rid of 1123 5.3.6(a) isn't the way some others
want to go, so let them pick some less radical SSP solution.
All we have to do here is to specify _all_ effects, not only
for the trivial straight forward cases. I'd feel much better
about it if somebody here knows everything about x2mail and
mail2x gateways for some x != news (the latter is relatively
simple). And I trust that we have some IMAP experts here.
> SSP authorization is _not_ the only option that DKIM enables.
For some here it's an important DKIM feature, while finding a
reliable abuse-address is only secondary. Maybe that will
change in the future if the whole world agrees to reject mail
from "unregistered" sources. But we're not yet there.
> However, SSP makes things worse.
You're not forced to use SSP if you don't like it. I don't
intend to use any 2822-scheme (SSP or PRA), if that limits my
freedom to use "my" address in a mail or news header whereever
it pleases it me. But others have different priorities, and
nothing's wrong with that.
Let's just make sure that the offered solution is no nonsense
and no obscured "FUSSP" working only after the whole world
More information about the ietf-dkim