On August 13, 2005 at 19:13, Michael Thomas wrote: > PS: but even then, it doesn't show that the problem will be > "worse", which is what I was commenting on.
I do not think anyone can positively state things will get worse, but there is always a risk. And the risk is greater if the system is not implemented well. The real answer will not be known until something is tried, since predicting what spammers will do tends to be an exercise in futility. What is important is to understand exactly what DKIM tries to solve: the identity forgery problem. If people can agree that the identity forgery problem is serious enough problem to address, then something like DKIM is worth trying, especially if the solution costs less than letting the problem persist. (Side Note: From an analytic perspective, it is worth noting why protocols like S/MIME and OpenPGP are not suited to deal with this problem in order to justify the existence of DKIM.) The specification as it exists right now has some holes in it, but these can be filled. Care must be taken to insure that DKIM, or any other proposal that attempts to address forgery, does not create new avenues of exploitation. This ties into my address-based versus domain-based forgery. DKIM is domain-based, but as it exists now, it actually will facilitate address-based forgery. This will hopefully be corrected in the next draft revisions, which has been noted in other discussion threads. We also cannot be naive to assume that bad actors will not use email authentication themselves. Not all bad actors in the spam domain are forging their identities, or even care to. Address/domain identity is not a very strong form of identification. Getting from an email address to a real person is not necessarily an easy task, and spammers know this. BTW, it may help to stop mentioning DKIM as an anti-spam measure, and only refer to it within the context of the problem it actually addresses: email identity forgery. Of course, people will make inferences that DKIM is an anti-spam measure, but DKIM documents should not even mention spam. --ewh _______________________________________________ ietf-dkim mailing list [email protected] http://mipassoc.org/mailman/listinfo/ietf-dkim
