[ietf-dkim] user level ssp

[Douglas Otis]

On Sep 6, 2006, at 4:24 PM, Thomas A. Fine wrote:

>
> The alleged half-implemented DKIM within a domain makes no sense  
> whatsoever - why would a domain work really hard to maintain  
> thousands or millions of records, so that the spammers can continue  
> to forge spam from their domain with policy-assured freedom? They  
> won't.

What is being forged, the email-address?


> The sensible solution is to dispense with all this user-signed  
> nonsense. It does no real good.

The mechanism being sought is to use policy as a means to  
differentiate a message from other messages within a common signing  
domain.  The concern is not limited to just spammers.  The recipient  
can then recognize specific assurances via message annotations.  This  
mechanism is essential.


> Domains should be free to set up as many keys as they want, and use  
> them however they want.  If they want to set up a million keys, one  
> for each user, well, that's dumb in my opinion, but let them,  
> because it's not for me to dictate.  At any rate, this will handle  
> any odd situations where users have a legitimate need to self-sign.
>
> BUT: this should all be part of the standard mechanism for  
> distributing valid keys, and should not in any way be a special  
> case for user validation.  It should simply be part of the selector  
> mechanism.

An arcane component of a DKIM signature (the selector) or a signing  
subdomain (where assurances of the email-address being valid is lost)  
does not offer viable differentiated protections.  Keep in mind, the  
entire domain is not equally trustworthy.

-Doug