Arvel Hathcock <[EMAIL PROTECTED]> wrote: > >> Since the people I know involved with DKIM expect it > >> to be plenty useful without third party reputation services, > >> I'm not sure what your point is. > > > > Well, they may expect it to be, but I haven't heard any arguments > > along those lines that I find convincing. > > Really?? If I see a message which is DKIM signed by iecc.com and > iecc.com is on my "DKIM white-list" this is pretty useful info right? > I can probably get away with relaxing or even skipping heuristic spam > filtering on that email with a fair degree of comfort. How is the > utility of that in any way unclear?
The scenario you cite is likely of *some* utility but it's not clear how much, or if it exceeds the cost of implementation and design. The answer to that question depends on (at minimum) (1) what the false positive rate would have been without the whitelisting (2) the degree of predictability about whitelist contents (for attackers), and (3) the level of zombie infection--or more precisely potential zombie infection--of the domains which are on the whitelist. It's not clear to me that we have good data on any of these questions, let alone an analysis that incorporates all of them. -Ekr _______________________________________________ ietf-dkim mailing list http://dkim.org
