[ietf-dkim] Re: The Value of Reputation

Douglas Otis dotis at mail-abuse.org
Wed Jan 4 11:20:40 PST 2006 

On Jan 4, 2006, at 9:13 AM, Frank Ellermann wrote:

> Stephen Farrell wrote:
>
>> there will be a time when the group should be focusing on the  
>> policy stuff, but its just not yet. For now we ought be focusing  
>> on the threats draft.
>
> s/now/tomorrow/ after the WG is chartered... ;-)  I think I've now  
> got Doug's terminology of "closed" vs. "open", it 's like "open  
> interval" vs. "closed interval" for real numbers.
>
> In that case it's wrong / esoteric / dubious (pick what you like)  
> for sets of IPs, because there's only a finite number of IPs.  We  
> don't need "open intervals" or the "axiom of choice" to construct  
> say three sets FAIL, PASS, and DUNNO covering all IPs, with each IP  
> in precisely one of these three sets.

How does a limit in the number of IP address effect this definition?   
While many wish to weigh acceptance criteria to divide results into  
multiple groups, the concern was regarding what is being permitted in  
terms of acceptance.  This acceptance may be judged harshly in binary  
terms.  Either the authorization blocks abuse or it doesn't.  With  
respect to the terminology, _any_ qualifier that was labeled as  
"Open" permits acceptance of abuse.

>
>> The comment was more directed to the rest of the folks discussing  
>> this with you over and over.
>
> If what he says about SPF is wrong / dubious I've to challenge it,  
> and I also don't see any "open-endedness" in SSP so far:

SPF and SSP will have similar problems.  With SPF, you have pointed  
out the RFC1123 5.3.6(a) issue that may cause those concerned with  
the resulting disappearance of messages to use the '?' qualifier,  
which is fairly common.  With SSP, the disruption in delivery of  
messages is even more pronounced.  Even posting messages to this list  
will be lost when a 'Closed' qualifier is used.  DKIM can not hope to  
dictate how identifiers are used by the receiving MTA administrator  
as they struggle to find the means to exclude spam.  Care must be  
taken to avoid the obvious unintended uses of authorization.  With  
the exception of a "Closed" qualifier, all the other qualifiers are  
largely meaningless and perhaps greatly misleading.  Any indication  
of even being within a "Closed" set of identifiers is also likely  
misleading.


> Every domain is free to send no mail, and to publish this as  
> "v=spf1 -all" or nullmx or what else.  It's also free to say that  
> it only uses certain routes, or always uses some kind of signature,  
> etc., and to publish this decision in a policy.

There have already been cases where a major ISP use coercion by  
deleting _some_ messages without _some_ type of authorization.  Even  
from other providers with otherwise good reputations.  This freedom  
is somewhat illusory when a sender must worry about whether messages  
are accepted, or simply vanish because DSN are also contingent upon  
the authorization.  : (

-Doug

More information about the ietf-dkim mailing list