[ietf-dkim] r= for instilling good domain-name practices

[Douglas Otis]

On Apr 29, 2006, at 4:23 PM, John R Levine wrote:

>> The text for the r= parameter indicated that as the number  
>> increases, the recommended annotation levels made by the signer  
>> also increase.
>
> Indeed, but we still have no idea how that translates into making a  
> reputation decision.

The r= parameter would allow the signer to assist the recipient in  
distinguishing between well vetted, and poorly vetted sources.   
Without this parameter, or a similar mechanism, the use of different  
signing-domains would be needed to make such distinctions.  The use  
of different domains represents a very bad practice that would  
further enable message spoofing.  The increased use of similar domain  
names would erode the recipient's ability to recognize who they are  
trusting.  The r= parameter permits a consolidation of sources having  
various levels of vetting, while still permitting the signer to offer  
guidance which sources have undergone minimal vetting and retain  
trust for select sources.

Even when "trust" annotations are limited to signing-domain's trusted  
by the recipient, the recipient should also be able to exclude  
messages from receiving "trust" annotations when the signer also  
warns that the source has not been well vetted.   Having a mechanism  
for the signer to indicate which messages are from well vetted  
sources overcomes risks associated with the recipient's inability to  
recognize purported originating email-addresses contained within the  
message.

Message annotation will become critical when international domain  
names and local-parts are commonly used.  DKIM does not require that  
signers exclude messages because an email-address domain is different  
from that of the signing-domain.  It should also be acceptable that a  
trusted signing domain differs from that of an email-address  
contained within the message.


>> The assurance being made by the signer has _nothing_ to due with  
>> reputation.  This r= parameter relates to annotation  
>> recommendations made by the signing domain for a particular message.
>
> Oh, in that case, I have no interest in r values less than  
> infinity, and I don't think anyone else should, either.  If a  
> signer isn't prepared to take responsibility for the mail they  
> sign, they have no business signing it.

A signer can be highly responsible and _still_ sign messages from  
poorly vetted sources.  Otherwise, most email could not be signed.  A  
signer indicates who is accountable and who should disable abusive  
accounts when abuse is reported.  A signing domain may be very  
responsible, and yet sign messages from poorly vetted sources.  The  
r= parameters permits these responsible domains to sign "trusted"  
messages and to also sign less trustworthy messages.  It is not  
practical to consider all signed messages represent a uniform level  
of trustworthiness, or that the recipient can distinguish purported  
originating email-addresses.  The need for trust is important,  
especially when some messages request various actions that would be  
highly dangerous when acted upon from less trustworthy sources.   
Annotation is already required to assist the recipient distinguishing  
which messages are signed.  This same annotation can also warn when  
the source of the message has been poorly vetted by the signer.

How can a responsible signing domain better protect their recipient's  
than by using an r= parameter?

-Doug