Michael Adkins wrote: >> Req. #3 requires some sort of assessment mechanism, such as a >> third-party >> whitelist. >> > There are two questions that you have to answer before you send a > report. One is where to send it. How to answer that question is a good > candidate for standardization I think. The other is whether you should > send it or not. This is a much stickier question as the policies for > existing FBLs vary widely and there is scant little consensus. On the > one end you have folks like Outblaze who require a strong whitelist > status for the sender in order to receive reports. On the other you have > AOL who will send reports to anyone who can display a reasonable amount > of authority for the domain (access to the postmaster@ mailbox for a > confirmation, for example). These differences are due to policies based > around everything from filtering strategy to legal requirements and > there is little motivation to converge. As such, I find this part to be > a poor candidate for standardization, beyond addressing the bare minimum > authority requirements. If there is a strong desire to do so, that's > fine, but please keep it separate from the 'where to send it' question.
I think the "whether" question divides into to parts. The first is authority for receiving reports. This is more than just being told where to send reports; it satisfies the requirement to determine that the directive for where to send reports comes from an authority to make that request. So, is the "where" a valid request? The second is whether the reporting agency wants to honor that valid request. That's the role of the assessment mechanism. You cite Outblaze, which requires a strong assessment, and you cite AOL which effectively requires none -- it will send a report to anyone asking for it and authorized to do so. I can't think of any reason that is or should be inherent to this mechanism for constraining the assessment step -- the Outblaze and the AOL policies both ought to be acceptable. In the summary, I tried to wave my hand about what assessment step might be performed. I think you've demonstrated why it's important NOT to specify very much about it. But I don't think you've highlighted any error or problem with this part of the summary. (In contrast with the corrections you supplied for other parts of the summary.) >> I guess my question is why this doesn't come for free, when >> honest-to-goodness >> operator-oriented domain name white lists gain traction? Such lists are the >> real goal of doing /any/ DKIM signing. So once you have sending operatos >> signing with DKIM and an array of assessment mechanisms used DKIM-verified >> domain names, why can their use be easily extended to this type of FBL? > > They can if the whitelists requirements comply with your FBL policy. So, > you are correct in that eventually we should get it for free. This is a > good argument for leaving the 'should I send it' question separate from > 'where to send it'. and, to be complete, the "is the specification for where to send it valid?" d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
