On August 19, 2005 at 17:23, Douglas Otis wrote: > Different levels seem to suggest shifting accountability to > coincident mailbox-domains, or even listed mailbox-domains, when > accountability is not fully attributed to the signing domain. > Mailbox-domain selection and related permission structures will prove > disruptive and problematic.
And I am not talking about that in this discussion. As DKIM is defined now, the authorization structure within a domain is domain-defined, and outside of the scope of DKIM. What I am trying to get clear is your view of DKIM should be. I may or may not agree with it, but I'm trying to get a clear understanding of it. > In effect, mail will simply not function > properly, while creating significant risk depending upon how > accountability is dispersed within a multi-level scheme. Simple non- > header assertions are possible where DKIM ignores the mailbox-address > entirely. A tangent that does not concern me now. What I am trying to understand is your view of "accountability" at the *domain* level, with respect to other domains involved in the transmission of a message and how this would be part of the DKIM specification. When a message is transmitted, there is always an initial domain, and I have been calling this the _originating domain_. How that domain determines who is authorized to send messages out from that domain is specific to the domain and its governing policies. During message transmission, there may be intermediate domains. Examples: Forwardings services, secondary mail exchangers, third-party service filters. Each domain has a different role in the transmission of the message. In your view, if all the domains do DKIM signing, are all the domains equally accountable (or claiming equal accountability), regardless the role they play? It appears your discussion of accountability is really something that sits on top of DKIM, since trying to standardize "accountability" seems impractical. Are all you asking for, at the DKIM specification level, is for DKIM to provide a domain-based message signing specification indicating "here is what I am transmitting out"? SSP is not part of the equation. With the core signing specification, things like accountability and reputation systems can be reliably built. Things like anti-spoofing and anti-forgery should not be part of DKIM? > By authenticating the HELO, name based reputation could substantially > replace IP address based reputations. Are you refering to an SPF-like system here? (I know, this a distraction, so you we can discuss later). --ewh _______________________________________________ ietf-dkim mailing list http://dkim.org
