[ietf-dkim] SSP; Is it safe and fair?

Douglas Otis dotis at mail-abuse.org
Wed Jan 4 13:59:21 PST 2006 

On Jan 4, 2006, at 12:02 PM, Scott Kitterman wrote:
> On 01/04/2006 14:20, Douglas Otis wrote:
>
>> SPF and SSP will have similar problems.  With SPF, you have  
>> pointed out the RFC1123 5.3.6(a) issue that may cause those  
>> concerned with the resulting disappearance of messages to use the  
>> '?' qualifier, which is fairly common.
>
> This is completely contrary to my experience.  Because I use shared  
> MTAs, almost all e-mails I send have an SPF NEUTRAL (?) result.

This is agreeing open-ended authorizations are not uncommon?  SSP  
also relies upon this open-ended method for similar reasons.   For as  
long as a domain has not become the target of abuse, why would there  
be a problem?  When used as an identifier, as purported by Sender-ID  
for example, protection of one's email-address domain's reputation  
relies more upon luck and not design.  Moving closer to using  
"closed" authorizations will likely also require adoption of the PRA  
header selection algorithm or waiting for some rather major changes  
to occur. : (

> So, even if you start out with the premise the SSP is like SPF (I  
> don't think that's right either), nothing that follows in the  
> original e-mail is correct.

Are you suggesting the email-address domain owner providing the  
authorization will never be held accountable for the type of  
authorization they use?  It is not surprising to see a strong desire  
by providers to shift the burden of reputation onto the email-address  
domain owner, but this is not fair for many reasons.

What protection does an "open-ended" authorization provide the  
recipient?  How could this be considered safe?  Even assuming a  
"Closed" authorization were used, this also relies upon the visual  
examination of the email-address, which is often not shown to the  
recipient.  Is there an assumption that the MUA must be altered to  
take advantage of the DKIM signature?  If that is the case, why not  
use recognition rather than authorizations, as this offers far  
greater safety.


-Doug

More information about the ietf-dkim mailing list