[ietf-dkim] "I sign everything" is not a useful policy
dhc at dcrocker.net
Sat Aug 5 19:21:59 PDT 2006
Mark Delany wrote:
> On Sat, Aug 05, 2006 at 06:06:59PM -0700, Dave Crocker allegedly wrote:
>> Seriously. SSP can be entirely useful when stated in terms of the sender's
>> perspective. It does not need to pretend that is knows enough to give
>> directions to an evaluator.
> Sorry for being dense, but I have to ask the question again. Who is the
> target audience for the "sender's perspective" if not the evaluator? Put in
> my blunt language. Why publish an SSP if no one listens?
Mark, it's ok if you are dense. It forces me to (try to) be more clear:
I did not say that the evaluator should or would pay no attention to the SSP
information. What I am saying is that there is a difference between telling
someone what *I* do versus telling them what *they* should do.
If I choose to deliver unsigned mail that purports to be from a domain that says
it signs everything, but I mark it up with flashing lights that say "spoofed" do
you want that to be a protocol violation? What about my choosing to send it to
my sysadmin for special handling for spoofed mail? What about...
In other words, there are lots of things that I might reasonably choose to do
with mail that I receive that violates one or another SSP statement.
It is not the publisher's right or responsibility to tell me what to do with
information. By contrast it is entirely reasonable for them to provide me with
information that I am likely to find helpful.
> Dave, I know you are subtle about such things and the purposeful disconnect
> that is lost on me, clearly has merit to you. Can you use simple words and
> help me out? Of course SSP can only be advisory at best, but is their more to
> your perspective than that?
A signer should make statements that a) the signer believes to be important, and
b) there is a good basis for believing that evaluators will consider important.
A signer should not direct the evaluator what is to be done with that information.
I do not see this distinction as small or subtle.
John Levine's note:
>> When I think of SSP records saying dump mail if it's not signed, I see a
>> bunch of tiny gorillas*, beating their teensy chests and saying in high
>> squeaky voices, "Beware, oh Internet, of the Scourge of Criminals
>> attempting to forge the image of my Inestimable Personage, and do not
>> DARE to be fooled by these Base Mockeries of Communication!" The only
>> reasonable response from everyone else is somewhere between "Huh?" and
>> "Get real."
>> If the ABA or the FDIC published a list of domains used by member banks
>> to send signed transactional mail, I would find that really useful. A
>> list of people who think they are as threatened by forgery as those
>> banks is useless other than for entertainment value.
>> So that's the problem with SSP. Whatever your policy is, unless you're
>> someone I already have reason to be interested in, I don't care.
seems to be getting at the same point:
It's fine for you to tell me interesting stuff, but please do not pretend
to tell me what to do with it.
More information about the ietf-dkim