On Tue, 2006-10-10 at 21:39 -0400, Hector Santos wrote: > Wonderful! > > 2 plus years hammering out IETF public standard specs for DKIM and we > now we get proprietary non-standard non-IETF workgroup half baked ideas? > > Why didn't you at least write an IETF draft? and try to get a working > group going? Come on. Waste people's time with this stuff. Who says > this VBR thing works? You? Where is the Threat Analysis and > engineering behind it?
There is still work required. There is no simple way to differentiate replay abuse caused by a competitor from abuse caused by the domain being vouched. That is unless the signing domain can be associated with the SMTP Client. The DOSP draft provides an approach that helps solve that issue. Those attempting to vouch for a domain will need to establish procedures and requirements. The requirements will likely mean this approach is limited to bulk senders where SMTP Client association does not represent a significant problem. While VBR states that this scheme does not affect Sender-ID, the reverse is not true. Sender-ID represents a very serious threat to DNS, and MUST NOT be used to associate a signing domain with that of the SMTP Client. When trust is established by the recipient, rather than by some vouching service, there is still a need to understand which messages should be trusted based upon just the domain, and which email-addresses are valid. Again DOSP helps solve those issues as well, along with allowing the designation of signing domains. Designation does not alter how VBR works, as VBR is based upon the signing domains. Designated sub-domains can be established for individual customers or types of use. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
