[ietf-dkim] Keys vs. Reputation

Damon deepvoice at gmail.com
Tue Aug 22 07:45:58 PDT 2006 

On 8/22/06, Douglas Otis <dotis at mail-abuse.org> wrote:
> On Tue, 2006-08-22 at 05:54 -0400, Hector Santos wrote:
> >
> > But 99% of the times or lets just say it is expected police protocol
> > and practice for a traffic stop that if there is a problem with your
> > Driver's license; the photo, the sex, age, height, etc, it is simply
> > not quite consistent which what he is seeing in reality, at this
> > point, there is increase scrutiny and by Police Protocol and Practice
> > he should radio the HQ database (i.e., Reputation Service) to find out
> > if there anything bad or new to find out about you or the vehicle you
> > are driving.
>
> Most bad actors are not fools. Playing a hard nose cop will block vastly
> more legitimate email than spoofing attempts.  Due to look-alike and
> internationalization issues, the ultimate solution can not rely upon
> failed concepts that attempt to impose a problematic authorization
> scheme. Who can afford an increase in phone calls and complaints anyway?
>
> 2822.From policy is best used to indicate which 2822.From addresses are
> valid.  With DKIM and this policy, the number of messages that can be
> discerned to have a valid 2822.From address can greatly increase without
> imposing hardships.  Policy does this by permitting autonomous
> administration.  When the MUAs annotate messages that are both found in
> the Address Book, and appear to be signed with valid 2822.From
> addresses, look-alike and internationalization exploits will have been
> thwarted.  This prevention does not rely upon a reputation or an
> authorization scheme.
>
> A great deal of legitimate email will not be assured to have a valid
> 2822.From address.  Over time that may change.  Nevertheless, DKIM can
> restore trust in the 2822.From address, especially for critical
> messages.  This trust must not be based upon visual examination.  The
> bad actors are too good at creating forgeries.  The MUA must implement
> the final check at the highest resolution possible.  The MTA can not
> achieve the same level of scrutiny.
>
> Perhaps a 2821.MAIL_FROM policy of a designated domain list can provide
> an association with the DKIM signing domain.  These associations could
> improve upon the MTA triage process without DoS concerns, but not as a
> type of authorization scheme and without the badges.  : )
>


Wow, that was a lot of typing to try and convince me that everyone
hates more phone calls and trouble tickets and therefore we should
punt.
Are you saying that you see NO value in it or so little value that it
would be statistically insignificant?
Remember- it is OPTIONAL.

Regards,
Damon Sauer

More information about the ietf-dkim mailing list