[ietf-dkim] General Feedback loop using DKIM

Dave CROCKER dhc at dcrocker.net
Thu May 28 08:13:36 PDT 2009 


Michael Adkins wrote:
>>       Req. #3 requires some sort of assessment mechanism, such as a third-party 
>> whitelist.
>>   
> There are two questions that you have to answer before you send a
> report. One is where to send it. How to answer that question is a good
> candidate for standardization I think. The other is whether you should
> send it or not. This is a much stickier question as the policies for
> existing FBLs vary widely and there is scant little consensus. On the
> one end you have folks like Outblaze who require a strong whitelist
> status for the sender in order to receive reports. On the other you have
> AOL who will send reports to anyone who can display a reasonable amount
> of authority for the domain (access to the postmaster@ mailbox for a
> confirmation, for example). These differences are due to policies based
> around everything from filtering strategy to legal requirements and
> there is little motivation to converge. As such, I find this part to be
> a poor candidate for standardization, beyond addressing the bare minimum
> authority requirements. If there is a strong desire to do so, that's
> fine, but please keep it separate from the 'where to send it' question.

I think the "whether" question divides into to parts.

The first is authority for receiving reports.  This is more than just being told 
where to send reports; it satisfies the requirement to determine that the 
directive for where to send reports comes from an authority to make that 
request.  So, is the "where" a valid request?

The second is whether the reporting agency wants to honor that valid request. 
That's the role of the assessment mechanism.  You cite Outblaze, which requires 
a strong assessment, and you cite AOL which effectively requires none -- it will 
send a report to anyone asking for it and authorized to do so.  I can't think of 
any reason that is or should be inherent to this mechanism for constraining the 
assessment step -- the Outblaze and the AOL policies both ought to be acceptable.

In the summary, I tried to wave my hand about what assessment step might be 
performed.  I think you've demonstrated why it's important NOT to specify very 
much about it.  But I don't think you've highlighted any error or problem with 
this part of the summary.  (In contrast with the corrections you supplied for 
other parts of the summary.)


>> I guess my question is why this doesn't come for free, when honest-to-goodness 
>> operator-oriented domain name white lists gain traction?  Such lists are the 
>> real goal of doing /any/ DKIM signing.  So once you have sending operatos 
>> signing with DKIM and an array of assessment mechanisms used DKIM-verified 
>> domain names, why can their use be easily extended to this type of FBL?
>   
> They can if the whitelists requirements comply with your FBL policy. So,
> you are correct in that eventually we should get it for free. This is a
> good argument for leaving the 'should I send it' question separate from
> 'where to send it'.

and, to be complete, the "is the specification for where to send it valid?"

d/
-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net

More information about the ietf-dkim mailing list