Attempted summary (was: Re: [ietf-dkim] DKIM and mailing lists)

[Douglas Otis]

On Jan 23, 2006, at 10:26 AM, Eliot Lear wrote:
>
>> Eliot suggested list-servers (free email-address providers,  
>> newsletters, e-invites, photo-kiosks, etc.)  be picky about who  
>> they allow to use their services, but did not provide a  
>> description of that process.
>
> One obvious approach is to check the reputation of the applicant.   
> But this may not be needed for all lists, particularly moderated ones.

Even a moderated list would likely not be able to ferret out messages  
containing links that may, after being sent, transform into a website  
for spam or perhaps offer browser exploits.

When you say the reputation of the applicant, are you suggesting  
applications accompany a certificate to identify the individual?

Once messages have been signed, without an overlay strategy providing  
a means to hold the receiving domain accountable for not protecting  
signatures, controlling replay abuse demands perhaps impossibly rapid  
revocation of keys or policies.  The bad actor's strategy could  
easily stage replays when the administrator is asleep.

A bad actor is able to obtain tens of thousands of free email- 
addresses.  Only negative reputations for email-address may perhaps  
be safe to distribute, as any such list will also expose these email- 
addresses to spam abuse themselves.  Nevertheless, a negative  
reputation is reactive after the fact.  The reputation and associated  
reactions will be too late to be effective to abate a blitz replay.   
Messages will have been signed and can be disseminated in mass, well  
beyond the control of the list-server.

-Doug