[ietf-dkim] Responsibility concerns with Designated Signing Domains

william(at)elan.net william at elan.net
Sat Aug 26 08:45:01 PDT 2006 

On Fri, 25 Aug 2006, Jim Fenton wrote:

> While we aren't defining reputation or accreditation services in this
> working group, it has been widely suggested that such services would use
> the d= domain on the signature as the "lookup key" for retrieving
> reputation or accreditation information.

Not necessarily only that. Its just that 'd' is a verified identity
and so is good for building up reputation. SSP provides ability to
build additional verified identities (currently only identity being
talkied about is 'From'), so those verified identities after that
can also start to be used for reputation and accreditation - I
predict even more so then signature's 'd' because they are more
easily related to actual users of the system.

In light of above you'll find that all 3 of your questions have an
answer in "From" identity reputation and it will in work properly.
On the other hand its pure 'd' identity that ma have problems
especially as you alluded to in the 3rd question.

> There is a fundamental difference, then, between key delegation and
> delegation via SSP.  In the former (key delegation) case, the party
> applying the signature (delegatee) is merely acting as an agent of the
> delegator to do the mechanics of signature application.   It is still
> the delegator's signature, and the "buck stops" with the delegator in
> terms of who has taken responsibility for the message.  In the latter
> (SSP delegation) case, it is the delegatee's domain that takes
> responsibility for the message.  Some have suggested the delegatee might
> want to use subdomains in order to allow reputations to avoid
> aggregating reputations from different delegators (or classes of
> delegators).
>
> Some implications of this change in responsibility:
>
> 1. Responsible domains using SSP delegation will not be able to change
> signing providers (delegatees) without forfeiting any positive
> reputation they have accumulated.  It should really be the delegator's
> positive reputation, because they are the ones acting responsibly in
> their mailing practices and/or the use of outside mailing providers.  It
> should not be necessary to start over if you change ISPs or outbound
> marketing providers.
>
> 2. Delegators are more likely to be diligent in the choice of delegatees
> when it is their own reputation at stake.  When it is the delegatee's
> reputation at stake, they can always employ an unreliable party, or in
> the extreme a spammer, and when abuse is reported simply say "oh, sorry"
> but not endure any impact on their reputation at all.
>
> 3. We are already aware of the potential for the use of throw-away
> domain names by bad actors who otherwise might accrue a bad reputation.
> This opens a new possibility:  it isn't necessary to get a new domain,
> just delegate signing to a new entity and "all is forgiven".

How is that different then just default use of DKIM?

-- 
William Leibzon
Elan Networks
william at elan.net

More information about the ietf-dkim mailing list