Ian Eiloart wrote: > I understand the issue here, but part of the point of DKIM/ADSP is to allow > automated systems to assign reputation to an email domain or email address > - a byte string.
First, d= is only a domain, not an address. Second, DKIM semantics do not claim that that any part of a message is "valid", except for the d= string. As a side-effect of the mechanism used to achieve this, DKIM also claims that the bits covered by the authentication hash are the same at verification as they were at signing time, but that's quite different from claiming that they are "valid". Third, there is a very basic difference between assigning a reputation to a name that is voluntarily provided -- such as the d= string -- versus trying to catch deceptive, unsigned messages. They cover completely different philosophies and technologies. The intent behind ADSP is to create an overlap for the otherwise-independent topics. It works for some very narrow -- but still useful -- scenarios, and very much does not work for any other scenarios. We need to be careful that we distinguish between scenarios that are reasonable to include in any mechanism that requires end-to-end perfection, versus other legitimate scenarios that are not subject to such tight controls. Those automated systems will be able to distinguish > between paypal.com (likely with high positive reputation) from paypa1.com A message from a Bad Actor either will not be signed or will not have a reputation history. So the idea that there is a task of "distinguishing" between paypal.com and paypa1.com really misses the point: For DKIM reputation, all that matters is paypal.com. > Furthermore, such systems could be designed to look for close mismatches, Such systems could be designed to use an infinite array of heuristics; in fact they already are. What is not clear is how this is relevant to a standards discussion about DKIM or ADSP. > It might be nice if paypal could publish in the DNS a set of related > domains, that it is willing to share the reputation of paypay.com with. Why? What would it take to maintain it? Who would use it? Why do you believe they will use it? Why is it not sufficient for those "related" domains to develop their own reptuation? d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
