[ietf-dkim] "I sign everything" is not a useful policy

Bill.Oxley at cox.com Bill.Oxley at cox.com
Sat Aug 5 21:23:43 PDT 2006 

Hector,
The engineering part is easy, what is extremely difficult is the policy.
After spending a long period of time debating what the word UNIQUE means
in a policy document that has some similarities to email, I want to get
it right the first time. Make sure the rules are simple. Ensure there is
agreement. Make sure a clean unambiguous meaning is set to every
possibility.
Its harder than it looks.

Bill Oxley 
Messaging Engineer 
Cox Communications, Inc. 
Alpharetta GA 
404-847-6397 
bill.oxley at cox.com 


-----Original Message-----
From: ietf-dkim-bounces at mipassoc.org
[mailto:ietf-dkim-bounces at mipassoc.org] On Behalf Of Hector Santos
Sent: Sunday, August 06, 2006 12:01 AM
To: dcrocker at bbiw.net; ietf-dkim at mipassoc.org
Subject: Re: [ietf-dkim] "I sign everything" is not a useful policy


----- Original Message -----
From: "Dave Crocker" <dhc at dcrocker.net>

> If I choose to deliver unsigned mail that purports to be from a
> domain that says it signs everything, but I mark it up with flashing
> lights that say "spoofed" do you want that to be a protocol violation?

Yes.  I am not what you mean by "But i mark it up with.." by yes, if the
domain expectations for a valid transactions are broken, in order to
protect
his reputation inherited by a DKIM-BASE mandate, he would prerfer it to
be a
protocol violation.

> What about my choosing to send it to
> my sysadmin for special handling for spoofed mail?  What about...

Thats up to you and local system policy.  That should take away the
domain
declaration for his expectatons for a valid transaction.

> In other words, there are lots of things that I might reasonably
> choose to do with mail that I receive that violates one or
> another SSP statement.

I am not sure I follow the logic, but this is all really simple.  The
domain
told you want is expected for a valid message. It went thru all the work
on
signing messages for some reason that hopefully has some payoff when
things
go wrong with it.  Isn't the essense of a security protocol? When the
protocol is not followed?

> It is not the publisher's right or responsibility to tell me what to
do
with
> information. By contrast it is entirely reasonable for them to provide
me
with
> information that I am likely to find helpful.

Agree. And sure, as a receiver, you can decide to do what you want.  But
if
we are talking about helping to stop or control abuse, then I think most
receivers are very interested in technology that will help in the area.

> A signer should make statements that a) the signer believes to
> be important, and b) there is a good basis for believing that
> evaluators will consider important.

Isn't this what SSP draft, including DSAP I-D draft already does and
documents?

Have you looked at this documents?   What is wrong with them?  Do you
trust
the engineering done?   What's missing?

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com




_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

More information about the ietf-dkim mailing list