On Sat, 2005-08-20 at 22:17 -0400, Scott Kitterman wrote: > Douglas Otis wrote:
> > With DKIM, a small list of trusted signing domains will exclude most > > emails which need greater examination. The level of support to maintain > > this type of trusted list would be less than the traditional IP address > > white-list. By not binding the signing domain with the mailbox-address, > > there can be greater consolidation which further improves the leverage > > of such a list. Those implementing DKIM could benefit by this rather > > practical use. Complaints directed to those permitting access will > > benefit the industry in general, and again provide greater acceptance > > with DKIM as the basis. When MUAs eventually display the signing > > domain, this should also be to signing domain's benefit. > > > > Aspects of the message content may become beneficiaries of a domain > > binding later, but should not be included in initial offering to ensure > > fewer operational issues. > > I'm not certain, but I think you are saying that the benefit to me is > that I'll be put on a whitelist and it will be very difficult to get my > mail delivered if I'm not on the magic list? Consider mutual benefits rather than that derived from one party signing. As long as costs with respect to implementation are minimal, barriers toward acceptance should also remain low. With low entry barriers and eventual wide deployment, better access control and abuse isolation can be achieved. On the other hand, problems requiring extensive support with a new scheme will create substantial barriers. User access must be controlled at the sending domain. This granularity of control can not be done by recipients applying extensive rules based upon excessive amounts of information inappropriately placed in DNS. All of this complexity will fail as vain attempts to thwart targeted behaviors of individual abusive users. > I don't have a problem with getting my mail delivered today, so I guess > if your view prevails, I can ignore DKIM until someone starts telling me > I MUST sign using DKIM or they won't accept my messages. I expect I > wouldn't be alone in that view. Many will wait. This working group should not over sell DKIM. DKIM can not directly prevent forgery or phishing. DKIM can not directly prevent people from lying. DKIM will allow effective actions when problems are reported. Offering this modest means to verify the administrative domain will likely become a more significant acceptance factor which should foster greater adoption. > Am I missing something here (wrt to benifit to a sender to sign)? > > When you say "..will benefit the industry in general.." what industry > are you talking about? By industry, I am referring to institutions and companies who depend upon email to conduct business. Email is suffering with protocols that currently do not offer effective means for locating and preventing the repetitions of abusive behavior. DKIM is not improved by binding mailboxes to administrative domains because that is not how email currently works. Source isolation could improve greatly by an opaque identifier which does not alter current email use. The administrative domain would add this identifier assured to isolate any potential source of abuse. People (and manual filters) are good at recognizing patterns. A signing domain with an opaque identifier will be a more effective deterrent than complex and problematic bindings of server's domains with that of mailboxes. -Doug _______________________________________________ ietf-dkim mailing list http://dkim.org
