[ietf-dkim] Re: The Value of Reputation

Douglas Otis dotis at mail-abuse.org
Tue Jan 3 15:34:32 PST 2006 

On Jan 3, 2006, at 11:39 AM, Stephen Farrell wrote:
> Douglas Otis wrote:
>> On Jan 2, 2006, at 11:16 PM, Frank Ellermann wrote:
>>> Douglas Otis wrote:
>>>
>>>> dangerous open-ended policies as seen with SPF. (Very bad.)
>>>
>>> Define "open-ended":
>
> Aaaaargh! Please don't!

This was related to comments suggesting removal of SSP draft from the  
charter.  What problem is created in providing a definition of  
terminology?


> Why not read and comment on the threats draft instead? You'll feel  
> much better, really.

I _did_ respond to the threat draft, but neither reading the threat  
draft, nor the lack of response by _anyone_ else to this draft does  
not raise a level of comfort.  Please note the question raised with  
respect to section 3.2.2. "Identity-Related Fraud" has remained  
unanswered.

http://mipassoc.org/pipermail/ietf-dkim/2005q4/001571.html

SSP was introduced rather than produced out of open discussions.  SSP  
goes well beyond establishing the base DKIM draft.  The next steps  
should be to decide how DKIM can best be applied.  SSP presupposes an  
email-address authorization scheme is needed, beneficial, and safe to  
either assert or display.  As there has not been much consideration  
given for the secondary effects or the reconsideration of blatant  
assumptions, the statements in a threat review seem to have been made  
without any desire to defend the justifications used for the SSP  
mechanism.  At least Frank is willing to discuss these related issues.

There are at least two factors at play that may be hindering this  
process.  There is almost a rote method for dealing with email abuse  
which discerns tell-tale characteristics of abusive messages not  
prevented by a block-list.  There is also the security community with  
an almost a rote method of combining identifiers with polices.  When  
a hammer is your only tool, everything looks like a nail.  The  
imagined solution is the application of an anonymous sender's policy  
applied to _some_ email-address found within the message.  This  
overlooks a few serious problems.  The anonymous sender can be a bad  
actor making their own policy.  The good actors will find themselves  
constrained by the complexity created by restrictive policies for an  
email-addresses that lead to open-ended policies.

The bulk of abuse will be abated through the application of  
reputation in various forms.  The identifiers used in this process  
must be relatively strong to ensure a fair system.  The authorization  
strategy invites the use of an extremely weak identifier (perhaps  
seen as a tell-tale sign).  There are no safe assurances possible as  
a result of the application of the SSP policy. : (

-Doug

More information about the ietf-dkim mailing list