[ietf-dkim] "I sign everything" is not a useful policy
Bill.Oxley at cox.com
Bill.Oxley at cox.com
Sat Aug 5 21:23:43 PDT 2006
The engineering part is easy, what is extremely difficult is the policy.
After spending a long period of time debating what the word UNIQUE means
in a policy document that has some similarities to email, I want to get
it right the first time. Make sure the rules are simple. Ensure there is
agreement. Make sure a clean unambiguous meaning is set to every
Its harder than it looks.
Cox Communications, Inc.
bill.oxley at cox.com
From: ietf-dkim-bounces at mipassoc.org
[mailto:ietf-dkim-bounces at mipassoc.org] On Behalf Of Hector Santos
Sent: Sunday, August 06, 2006 12:01 AM
To: dcrocker at bbiw.net; ietf-dkim at mipassoc.org
Subject: Re: [ietf-dkim] "I sign everything" is not a useful policy
----- Original Message -----
From: "Dave Crocker" <dhc at dcrocker.net>
> If I choose to deliver unsigned mail that purports to be from a
> domain that says it signs everything, but I mark it up with flashing
> lights that say "spoofed" do you want that to be a protocol violation?
Yes. I am not what you mean by "But i mark it up with.." by yes, if the
domain expectations for a valid transactions are broken, in order to
his reputation inherited by a DKIM-BASE mandate, he would prerfer it to
> What about my choosing to send it to
> my sysadmin for special handling for spoofed mail? What about...
Thats up to you and local system policy. That should take away the
declaration for his expectatons for a valid transaction.
> In other words, there are lots of things that I might reasonably
> choose to do with mail that I receive that violates one or
> another SSP statement.
I am not sure I follow the logic, but this is all really simple. The
told you want is expected for a valid message. It went thru all the work
signing messages for some reason that hopefully has some payoff when
go wrong with it. Isn't the essense of a security protocol? When the
protocol is not followed?
> It is not the publisher's right or responsibility to tell me what to
> information. By contrast it is entirely reasonable for them to provide
> information that I am likely to find helpful.
Agree. And sure, as a receiver, you can decide to do what you want. But
we are talking about helping to stop or control abuse, then I think most
receivers are very interested in technology that will help in the area.
> A signer should make statements that a) the signer believes to
> be important, and b) there is a good basis for believing that
> evaluators will consider important.
Isn't this what SSP draft, including DSAP I-D draft already does and
Have you looked at this documents? What is wrong with them? Do you
the engineering done? What's missing?
Hector Santos, Santronics Software, Inc.
NOTE WELL: This list operates according to
More information about the ietf-dkim