Douglas Otis wrote: >>> [...] Any "open" policy exposes the email-address domain >>> owner to unjustified complaint traffic.
>> No more than could happen today. I don't see any reason why >> complaints will rise that couldn't happen right now. > The mechanism directs complaints to the email-address domain > owner, rather than the signing-domain. Unfortunately, a > published "open" policy will attract more abuse. IBTD strongly. First thing, it's nice to have this new term "open-ended". In the context of SPF it's "any policy with a _potential_ result NEUTRAL". In the context of SSP it's "any policy _allowing_ unsigned mails". SPF has it clear that NEUTRAL results MUST (2119) be treated like NONE. Of course receivers are free to do whatever they like not limited to "treat NEUTRAL like FAIL if it's for @AOL" Utter dubious idea, it violates a MUST. I'm too lazy to check it now, but it would be trivial to add a similar MUST to SSP. Further, just because a policy is "open-ended" doesn't mean that all results are inconclusive, a PASS is still a PASS, a FAIL is still a FAIL, and a valid signature is still a valid signature. If there's no signature, or an invalid signature, then it just makes no sense to send complaints to the domain owner. It's also pointless to bother the "signing-domain" without a valid signature. Receivers could try to figure out where on their side something destroyed the signature, that's their problem. Like receivers should make sure where they test SPF FAIL, if they don't do it ar their border MTA it generally won't work. That leaves us with one interesting case, "open-ended" signing policy without related signature, but a PASS for a third party signature. In that case complaints should be of course sent to the signing-domain, not to the signing policy domain owner (or to the From address, maybe replacing the LHS by abuse@). I don't see any specific threat here related to "open-ended" or "closed" policies. No signature is like NEUTRAL, receivers can't do much with it (except from screwing-up), it's a polite form of saying "thanks for supporting DKIM or SPF resp., but for this mail you wasted your time". Finally, why should bad actors intentionally try to abuse addresses with "open-ended" policies ? IMO that's a stupid plan, receivers used to get "SPF PASS" or "DKIM valid" or what else would of course look twice if they suddenly get only a NEUTRAL or no signature or a broken signature. > I don't think there is any question that a closed policy will > prevent the use of most list servers, for example. Posting > to a list is a common use. Nothing forces domain owners to publish closed policies, we've already discussed this. The WG charter says that the WG will consider mailing lists, and that's a topic for the SSP draft. And also for the base draft wrt invalidated signatures. But IMO not for the threats draft. Unrelated, there are now some IETF pages for the WG: <http://tools.ietf.org/wg/dkim> Bye _______________________________________________ ietf-dkim mailing list http://dkim.org
