On Fri, 2005-11-25 at 14:40 -0600, Arvel Hathcock wrote: > >> The only reason the so call "freedom" exist is simply because there was > >> no controls in place before, hence the major exploitation and abuse of > >> the domains. > > > > You are describing current practices, permitting the operation of > > list-servers for example, as abusive. > > Nope, he's not.
Sending messages where the From header field indicates the message's author is not exploiting or abusing the domain of the author's email- address. Rules prohibiting one's ability to send such messages would be highly disruptive. A list server would be one example of the practices disrupted by such a prohibition. Multiple From email-addresses will create confusion and new avenues for exploitation. Abuse takes many forms. Simplistic domain policies assume the use of ASCII display terminals, as these policies are useless when other character-sets or display modes are considered. The mere association of a From email-address with a signing-domain offers little protection, but incurs a high cost. With a multitude of socially engineered exploits that will remain unaffected, the impact upon spoofing may be difficult to notice, once abusers decide to adapt. As these spoofing exploits continue, large numbers of similar domains will need to be acquired. This SSP approach retreats to a point in time where there were but a few TLDs and just one character-set. > Conversely though, you treat current practice as sacrosanct, > inscripturating it with an almost evangelical fervor. There is much > about current practice that demands a reformation in my view. Those administering the system and granting access should remain accountable. An authorization scheme like SSP opens the door for unfair coercion, which shift the burden onto an often hapless email-address domain owner. At the mercy of message deletion, authorization will need to be instantiated, and then, due to unfair reputation accrual, will then demand a limitation in providers. While this may seem ideal for some providers, SSP breaks many things and reduces freedoms while offering little of redeeming value. SSP authorization is _not_ the only option that DKIM enables. The inclusion of binding-advice within the signature can instantiate simplistic domain policies. This would be possible without the use of an authorization record that invites coercion and unfair accrual. This binding approach also enables a strategy where email authors can be recognized by the system, and thus abate many of the socially engineered exploits. This can be done with less overhead and less administration without breaking things. Things can be made better with DKIM. However, SSP makes things worse. -Doug _______________________________________________ ietf-dkim mailing list http://dkim.org
