Doug, Authoritative statements made by a DKIM aware MUA is a good thing. However from an ISP perspective I would not depend on an end user to have a DKIM aware MUA but will verify and do Policy silently at my edge MTA devices. Any mail that makes it past there can still be acted upon by the MUA.
Bill Oxley Messaging Engineer Cox Communications 404-847-6397 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas Otis Sent: Monday, January 22, 2007 6:32 PM To: J.D. Falk Cc: [email protected] Subject: Re: [ietf-dkim] Change to Section 6 On Jan 22, 2007, at 2:17 PM, J.D. Falk wrote: > On 1/19/07 7:07 PM, John Levine wrote: > >>> I disagree with Doug and agree with the wording in the current >>> document. >> I'm with Paul, I do not want to reopen the arguments about how long a >> verification key should or shouldn't be around. > > Not sure if it's a +1 to Paul or a -1 to Doug, but either way I > agree with Paul and John here. We need -base yesterday; save the > endless intractable arguments for SSP. While I might agree with the urgency, this poorly worded comment launches the SSP journey with a stated expectation that MTAs provide full coverage of DKIM signature verification prior to messages being obtained by end users. This produces unrealistic expectations for how DKIM might be adopted, as well as overestimating the consistency of MTAs and their backups. While this group might be dominated by MTA vendors (in general a good thing), DKIM will likely offer far greater protections in the hands of MUA vendors who can provide much needed annotations in a era where email will also likely see a rapid uptake of EAI extensions. <repeated rant 1> UTF-8 should create serious doubts about the efficacy of any annotation made by MTAs not based upon a level of trust. The current thinking appears to be annotations indicating the number of policy hoops navigated. With a churn rate of domain names in the millions per day, it is not reasonable to assume a protection scheme can stay ahead of the bad actors. Finding a means to establish trusted identities is critically important. Once such source might be the recipient's address book, in addition to DAC lists appropriate at the MTA. </repeated rant 1> <repeated rant 2> The bifurcation of identities introduced by EAI also means a common domain scheme depended upon to link headers with DKIM signatures is not adequate either. Expecting MTA servers to warehouse hundreds or thousands of private keys is another cause for concern, before launching the SS DKIM. This problem can be resolved by a simple relaxation of the 'i=' identity and a provision allowing domain association using simple hash tags. </repeated rant 2> -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
