>-----Original Message----- >From: John Levine [mailto:[EMAIL PROTECTED] >Sent: Sunday, February 03, 2008 2:44 PM >To: [email protected] >Cc: MH Michael Hammer (5304) >Subject: Re: [ietf-dkim] poison signatures, was draft-ietf-dkim-ssp-02 > >>It is my belief that most recipient domains are likely to find not >>checking author domain SSP (for discardable) as an invitation >to abuse. > >It's hard to see this as saying anything other than that SSP >publishers get to regulate the operation of mailing lists, >send-an-article, etc. run by unrelated third parties. >
John, It's not that hard to consider my comment as something other than SSP publishers regulating mailing lists,send-an-article, etc. Your assertion is analogous to blaming the homeowner who retains a security service (and puts up stickers pointing this out) for the fact that the person down the street chooses to leave their doors unlocked, the windows open and keys in the car....and for the fact that homeowner #2 gets abused as a result. The further outcome is that homeowner #1 gets a discount on their insurance while homeowner #2 likely gets dropped by their insurer. This is not some poisonous plot on the part of homeowner #1 to cause homeowner #2 grief and get their insurance provider to drop coverage. Homeowner #1 has simply raised defenses that make the burglar less likely to abuse them,reduced risk and thus the criminal is more likely to abuse homeowner #2. Homeowner #2 has many options with regard to how they might change their circumstances. Mailing lists,send-an-article, and other services can operate however they want. I don't envision SSP publishers in any way regulating how those services MUST operate. Different service providers may choose different models of operations as they believe is most appropriate for their circumstances. Ultimately, receivers - whether organizations or individuals - get to choose which messages (and from whom) they will accept or reject. Receivers may take many things into consideration. It may be that DKIM or SSP never grow to be one of those things - time will tell. Note that I did not state that recipient domains would/should take a particular action based on checking author domain SSP, I only pointed out that not checking generally, if the information is available, would be an open invitation to abuse. It may be that receivers generally view the ietf-dkim list as "good" and allow messages from that list through regardless of DKIM or anything else. On the other hand some recipient domains may choose to view email purporting to be from their domain (for example Mail From) and originating from someone elses server as bad.....hmmm, wait a second, many organizations already do that without resorting to DKIM. I have noted some MTAs that reject mail if RFC2822 >From does not match RFC2821 Mail From. I find nothing in the RFCs that would support or encourage such an approach but I also recognize that if it works for that domain then that is their perogative. I would like to point out your CircleID article from June 2004 entitled "Email Address Forgery" http://www.circleid.com/posts/email_address_forgery/. In it you claimed greeting cards as one of the "victims" that would be broken by then newly proposed validation schemes. At that time, we were unable to take advantage of those various approaches. We decided to change our approach so that we could take advantage of those approaches. Nobody regulated or mandated that we change. We simply felt that these approaches enabled us to work with others to reduce messaging abuse and have thus embraced them. You choose to remain skeptical regarding these approaches. That is your perogative. I remember a time when SSH was newfangled and most folks used telnet and r commands. There may be some people who admin boxes using telnet across the open internet... I don't know of any personally. >Even if it's against my internal rules for one of my users to >contribute to a mailing list to which you subscribe, I can't >imagine how I could expect that you enforce my rules against my users. > This leads us to the ugly. There is a difference between stating,expecting and demanding. I'm not commanding you to enforce my rules on your list. You will choose to do what you wish. Remember King Canute? I'm not demanding that any receiver reject mail from any source. I'm not even expecting that all receivers will reject mail purporting to be from my domains but are not signed - regardless of any statement made in SSP. Receivers will do what they choose. If ignoring SSP works for a particular receiver then that is what they will do. If another receiver chooses to incorporate SSP as one of many things they consider, more power to them. Some receivers may choose to reject anything purporting to be from my domains that does not have an authenticated signature. I happen to believe that something similar to the homeowner example will occur. You are asking me to argue about users when I personally am seeking to protect originating domains that have no users (other than in direct support of the domains activities), only role accounts for which messaging is generated from applications. ssp-02 recognizes that particular circumstance and addresses it, for which I am appreciative. Some domains with user accounts may choose to make a strict assertion/discardable. Others may choose not to. That's the beauty of choice. We should always remember that the right and ability to make choices inherently includes the right to make poor ones - whatever your particular definition of poor happens to be. >Or to put it more baldly, it's not mail abuse just because I >don't like it. > I don't care to go too far down this path as it's really a strawman. Unless you reject the notion of equity interest in a domain name (that is, a domain name is something that one has property/ownership right in) then you cannot claim it is simply something that "I don't like". Whether it is a large company or an individual domain owner, they do have the right to make statements about the proper (or improper use) of their name. Your apparent concern is that someone might listen to that statement. I personally feel no need to go down the legal/philisophical path on this because ultimately, the receiver (domain or individual) has the whip hand. Engage in practices they don't care for - whether you call it abuse or "I don't like" - and your messages will not go through. It is really that simple. Nobody is forced to carry anothers traffic and nobody is forced to accept someone elses messages. Mike _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
