[ietf-dkim] r= for instilling good domain-name practices

Douglas Otis dotis at mail-abuse.org
Mon May 1 16:57:17 PDT 2006 

On May 1, 2006, at 12:00 PM, John L wrote:
>>
>> The r= parameter would allow the signer to assist the recipient in  
>> distinguishing between well vetted, and poorly vetted sources.
>
> Only if the recipient has some extra info about what meaning a  
> particular signer gives to its r= codes, which in general will not  
> be the case.  Or if the recipient does know something extra about  
> the signer, they can make any private arrangements they want, so  
> there's no need to put anything in a standard.

Okay, 0-9 may be far too many to arrive at a well understood  
interpretation.  Following the example of the x-priority header, also  
used ubiquitously for message annotation, three levels seems a basic  
minimum.

The default assignment when r= is not included, would be r=1  
(normal).  An r=0 (low) level serves as a warning by the signer that  
the source or the content of the message has not been fully vetted.   
Alternatively, an r=2 (high) level indicates that both the source and  
the content of the message have been well vetted.  When the signing  
domain is trusted, the recipient may better rely upon information  
within the message when the signer also offers an increased reliance  
level.  Conversely, the signer offering a lowered reliance level  
could serve as a necessary warning.

0= low
1= normal (default)
2= high

: The r= parameter is assigned by the signer a value of
: 0-2, where 1 is the default, which recommends a normal
: reliance level be assigned the message for purposes of
: annotation.  An annotation of level 0 is to warn the
: recipient to place less reliance upon the information
: contained within the message.  An annotation level of 2
: indicates a higher level of reliance can be placed upon
: the information contained within the message.
:
: To ensure control in the case of MUA signing, the r=
: parameter in the signature MUST always be less than or
: equal to the key r= level.  When there is no r=
: parameter found in the key, the highest r= parameter
: allowed in the signature would be r=1.  When there are
: no r= parameters found within the signature, r= defaults
: to a level of 1.   An instance where the key r=
: parameter is less than that of the signature, the
: signature is invalid.

The signature provides an accountable domain when abuse is detected.   
When the signature encompasses a range of sources where some are  
poorly vetted, the signature, by itself, can not impart any  
additional level of trust, nor is it reasonable to expect recipients  
to recognize or independently vet email-addresses contained within  
messages.  Elevated reliance upon an email-address above that of the  
signing-domain would require several unsafe and unverifiable  
assumptions.

For example, an ISP may sign all messages.  When those messages are  
not authenticated from known good accounts, the provider may wish to  
warn recipients by asserting an r=0.  When the ISP wishes to  
recommended actions that might be considered dangerous when from  
untrustworthy sources, the ISP may wish to offer an r=2 to assure  
their customers that acting upon the information should not be  
considered a security risk.  The ISP may also caution customers not  
to act on account or system related requests that are not signed by  
them with an r=2 level.  Without the r= convention, greater  
constraints upon email-addresses would be required, and additional  
domains names would be needed to make distinctions of relative  
trust.  Email-address constraints may be disruptive, and additional  
domain names diminishes the goal at reducing the level of spoofing.

-Doug

More information about the ietf-dkim mailing list