>-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Wietse Venema >Sent: Friday, February 08, 2008 6:37 PM >To: [email protected] >Subject: Re: [ietf-dkim] draft-ietf-dkim-ssp-02.txt >Discardable/Exclusive > >MH Michael Hammer (5304): >> If a domain chooses to sign DKIM with respect to a From field email >> address that purports to be from that domain and that domain has the >> ability to make an assertion (of any sort) through SSP with >regard to >> it's practices: >> >> Is the potential benefit afforded a receiver by checking that SSP >> assertion AND taking whatever (unspecified) action worth the >effort of >> doing so? If receivers are likely to have little or no >> benefit/interest in checking SSP then the rest of the >discussion is moot. >> >> In other words, is the juice worth the squeeze? > >Spammers can use DKIM and SSP too. Therefore and the juice is >not worth the squeeze unless the receiver actually knows the domain. >Perfect DKIM+SSP by a total stranger is relatively meaningless. >
I'm asking in terms of the overall implementation. In a world where all domains are strangers the juice is definately not worth the squeeze. That is the chicken and egg of kickstarting adoption. Is the same true where half (or pick a percentage of your choice)the domains are strangers? At what point do the benefits of checking outweigh the costs of checking? >But we've already visted that station many times in the past. > > Wietse While it may be absolutely correct with no context - relatively meaningless at a micro level until behavior starts to be examined and matched to that signature. At a macro level it may be that receivers assign a reputation of newly signing domains based on general experience with the class (or segments based on type of mail received from that class) newly signing domains. It may be that DKIM+SSP will be matched to previous mail flows by IP address or other characteristics associated with a sender. Until DKIM+SSP is in the wild it is hard to say how that will play out. If we are trying to use DKIM+SSP to directly identify "bad" then I'm not sure how useful it will be. There are plenty of ways for bad actors to act bad. On the other hand, if DKIM+SSP allows some determination of "good reputation" (tied to behavior of that signing domain) - even if over time - then it may be useful in some cases. If that then enables a comparison of the two (where bad is purporting to be the good actor within certain parameters)it may be useful in other cases. It will certainly be interesting to see what happens when DKIM+SSP "good reputation" turns to "bad", especially when it involves subversion of a domains own security processes. Much talk of how reputation is gained but little of it's loss. How sticky will good reputation based on DKIM+SSP or other metrics be? Without SSP, how (or even why) will receivers choose to take advantage of DKIM? I'm not talking a handful of domains, I'm talking more general adoption by receivers. If potential 1st party or 3rd party legitimate signers (not the bad guys) don't have some expectation as to how receivers will interpret and act on their signing, how strong an incentive do they have to begin signing? I'm also assuming that their expectation has to be a positive outcome or they have a disincentive to sign. It's a given that spammers will try to use/abuse DKIM and DKIM+SSP to cloak themselves with. It's the nature of the beast. This ties into other issues surrounding mail,domain host compromise and other abuse. I fully realize that even if DKIM+SSP can afford protection for certain things it doesn't protect from all bad things. That's another given. My understanding with regard to DKIM and other authentication approaches is that the goal is to stake out defined areas and practices which can identify/protect legitimate (even if limited or only after reputation is built) mail and hopefully drive out bad actors from those areas. So if it isn't 3PS (01) and it isn't ASP (02) then what is it that is to be identified/protected by SSP? There are at least three large receivers that are checking DKIM and assigning pass/fail to those signatures, even if they may not currently be taking action on those determinations . I have to assume that there is a perceived potential benefit on their part to checking for signatures as well as checking of signatures. Is DKIM checking sufficient in itself without SSP? How might DKIM-SSP help receivers (the 3 aforementioned as well as others) leverage their evaluation of received email whether signed (valid or not) or unsigned? Mike _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
