Dave CROCKER wrote: > > > Michael Adkins wrote: >>> Req. #3 requires some sort of assessment mechanism, such as a >>> third-party whitelist. >>> >> There are two questions that you have to answer before you send a >> report. One is where to send it. How to answer that question is a good >> candidate for standardization I think. The other is whether you should >> send it or not. This is a much stickier question as the policies for >> existing FBLs vary widely and there is scant little consensus. On the >> one end you have folks like Outblaze who require a strong whitelist >> status for the sender in order to receive reports. On the other you have >> AOL who will send reports to anyone who can display a reasonable amount >> of authority for the domain (access to the postmaster@ mailbox for a >> confirmation, for example). These differences are due to policies based >> around everything from filtering strategy to legal requirements and >> there is little motivation to converge. As such, I find this part to be >> a poor candidate for standardization, beyond addressing the bare minimum >> authority requirements. If there is a strong desire to do so, that's >> fine, but please keep it separate from the 'where to send it' question. > > I think the "whether" question divides into to parts. > > The first is authority for receiving reports. This is more than just > being told where to send reports; it satisfies the requirement to > determine that the directive for where to send reports comes from an > authority to make that request. So, is the "where" a valid request? > > The second is whether the reporting agency wants to honor that valid > request. That's the role of the assessment mechanism. You cite > Outblaze, which requires a strong assessment, and you cite AOL which > effectively requires none -- it will send a report to anyone asking > for it and authorized to do so. I can't think of any reason that is > or should be inherent to this mechanism for constraining the > assessment step -- the Outblaze and the AOL policies both ought to be > acceptable. > > In the summary, I tried to wave my hand about what assessment step > might be performed. I think you've demonstrated why it's important > NOT to specify very much about it. But I don't think you've > highlighted any error or problem with this part of the summary. (In > contrast with the corrections you supplied for other parts of the > summary.) > > >>> I guess my question is why this doesn't come for free, when >>> honest-to-goodness operator-oriented domain name white lists gain >>> traction? Such lists are the real goal of doing /any/ DKIM >>> signing. So once you have sending operatos signing with DKIM and an >>> array of assessment mechanisms used DKIM-verified domain names, why >>> can their use be easily extended to this type of FBL? >> They can if the whitelists requirements comply with your FBL >> policy. So, >> you are correct in that eventually we should get it for free. This is a >> good argument for leaving the 'should I send it' question separate from >> 'where to send it'. > > and, to be complete, the "is the specification for where to send it > valid?" > > d/
I can agree with all this. Specify how to validate the request. Mention that trust is important and why, but leave it to the report sender to specify. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
