[ietf-dkim] Re: 1: 1 and assertions about third parties

Hector Santos hsantos at santronics.com
Thu Jan 17 21:27:15 PST 2008 

John L wrote:
>>> My expectation is that a large majority of domains that would publish 
>>> strict SSP policies would be small mail systems with no more forgery 
>>> problems than anyone else, but an exaggerated idea of their own 
>>> importance. 
>>
>> I'm sorry, but is it just your peevishness about their perceived
>> self-importance? What difference does it make if they aren't as
>> important as they think they are? How is that negatively affecting
>> you?
> 
> My understanding is that the point of publishing SSP is to help mail 
> recipients filter their mail better, where the only useful meaning of 
> better is that it makes the recipient users happier.  

Well, that applies to any filtering concept in general - hence the term 
filtering.

To me, SSP is related to the DKIM-BASE "promotion" for a new level of 
operations and expectations.

The DKIM-BASE presumption is such that all mail is going to be signed or 
not signed and that the receiver should make new assertions about the 
valid DKIM-BASE signed mail.

The problem is two folds:

   - Was it authorized (signed) by the right person?
   - Was it REALLY not signed (as opposed to failed) at all?

The idea that a receiver should just apply special DKIM considerations 
to valid signed mail and ignore the "Same Considerations" when they are 
not signed, just accept it as it was legacy stuff, is unacceptable in my 
book.

This can only only be resolved by what is expected by the "domain 
owner."   That expectation has to come from somewhere.

In my opinion, it boils down to:

  a) Some believe that come from a non-standard TRUST service
     (another form of SSP, but limited only to those who are
     members of the TRUST server).

  b) A "batteries not required" industry standard SSP approach
     which allows the DOMAIN itself to define the expectation.

The first methods can offer both merged "POLICY" and "REPUTATION" logic.

The latter is simply about DKIM-BASE protocol consistency. In lieu of a 
white/black list, no reputation is considered. Everyone is viewed the 
same way.

The first has limited effectiveness since it is secluded to member 
records only and it has NO logic for unsigned mail signatures.  This 
will not allow receivers to cover DKIM across the board. i.e, it doesn't 
address the legacy market - where the majority of abuse is located.

The latter has the potential to be vastly effective since no special 3rd 
party membership is required and MOST of the abuse occurs when they is 
protocol inconsistency. This will allow receivers to cover DKIM across 
the board.

-- 
Sincerely

Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

More information about the ietf-dkim mailing list