On Jul 28, 2006, at 11:55 AM, John L wrote:
If you give your keys to untrustworthy third parties, all bets
are off. No amount of extra protocol goop is going to change that.
Scott has raised a different concern. An ISP may not restrict
what From is used when signing with the ISP's domain.
In what sense is an ISP who signs mail from random senders who
happen to forge your domain not an untrustworthy third party?
For most users, the main motivation will likely be to improve message
delivery. Being able to associate the From with the signing domain
should definitely improve delivery, especially in an era known for
its delivery obstacles. It seems reasonable to assume a designation
worthy ISP does not offer access to just anyone, where risk of
forgery by these users might be reasonably low. If there was an
incident of forgery, an existing relationship with the ISP should
provide corrective actions from a report of abuse. If forgery
becomes an ongoing problem, procedures typically used for subscribing
to a mailing list could also provide a reasonable means for the ISP
to prevent forgery in a fairly automated fashion. The ISP would log
outbound email-address use per account, and hold messages until a
newly logged email-address is confirmed by this email-address's
recipient.
The terminology that was being used was Designated Signing Domain and
not a trusted third-party. Who is the third-party, the OA or the
signing domain? When dealing with abuse, it is easy to view the OA
as a third-party. These terms may provide more clarity:
Designated Signing Domain (DSD) = Any domain designated to sign for
an OA.
Common Signing Domain (CSD) = The signing domain and the OA share the
same domain.
Parent Signing Domain (PSD) = The signing domain is a parent of the
OA domain.
Non-Designated Domain (NDD) = Any other domain, signed or not.
A DSD could also be a CSD. A PSD could also be a NDD.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
