> -----Original Message----- > From: [email protected] [mailto:ietf-dkim- > [email protected]] On Behalf Of Jeff Macdonald > Sent: Friday, October 01, 2010 4:19 PM > To: [email protected] > Subject: Re: [ietf-dkim] Updated implementation report > > On Fri, Oct 1, 2010 at 1:05 PM, Dave CROCKER <[email protected]> wrote: > > > > > > On 10/1/2010 9:58 AM, MH Michael Hammer (5304) wrote: > >> As far as your example of intelligence, your question regarding > >> "importance" is incomplete. Important to whom and in what context? > > > > Exactly. Please re-apply this point to the current topic... > > > > > >> Note, I didn't say that 3rd party signing was less important generally. > >> What I wrote (or intended to write) was that my belief is that 1st > >> party signing represents a higher value proposition to 1st party > signers > >> than 3rd party signing represents to 3rd party signers. > > > > Oh. Sorry. I didn't get that. It's an interesting idea but I'd want > to hear > > it explored quite a lot, since the idea of value is pretty broad. For > example, > > if 3rd party signatures allow an ESP to get mail delivered better and, > > therefore, to stay in business, I'd be hard-pressed to call DKIM's > 'value' lower > > than for a first-party signer. > > I find this exchange very interesting. I though the value of DKIM was > to provide a stable identifier. I find 1st party signing to be rather > constrained. It seems to defeat the purpose of DKIM. One might as well > resurrect DomainKeys, because it seems to have the same goals as 1st > party signers. > > I'd like to propose Author Domain Signatures as signatures that the > author domain authorized. The ATPS and ALS proposals are ways of doing > that. Update ADSP to use this definition instead of "d= matches the > RFC5322:From domain". > > I believe this allows everyone to get the best value of DKIM. > >
I find the exchange interesting as well. Of course the purpose of DKIM is to provide a stable identifier.... that does not mean that all stable identifiers should be given the same weight. Warren Buffet is a stable identifier. Michael Hammer is a stable identifier. Which stable identifier are you going to give more weight to if the message associated with the stable identifier relates to investing? Which stable identifier are you going to give more weight to if the message associated with the stable identifier is about email authentication? Context is always important and trying to say that a 3rd party signature/stable identifier is absolutely no different than a 1st party signature/stable identifier brings us into Animal Farm territory...... All stable identifiers are equal but some are more equal than others. There is an inherent difference between a domain signing a message for itself and a 3rd party signing a message. It may not be stated in the RFC but it is there nonetheless. What you are proposing Jeff is a means to delegate signing to a 3rd party by the first party. That is different than a 3rd party who handled the message signing on the basis that it handled the message (what we have today). That is, you wish to add delegated authorization. The domain is the domain is the domain. 3rd parties may come and go. We do not know how stable an identifier 3rd party signing is in the wild. It will be good to have more data points before engaging in this discussion. - To pick on you a little, if a domain owner uses your approach to authorize signing by an ESP1, what is the stable identifier we are talking about? Is it specific to this customer or is it shared across customers? Does the domain owner understand potential impacts on their reputation (assuming domain based reputation systems ever get off the ground in our lifetime)? What happens when the domain owner dumps ESP1 and goes to ESP2? Do they lose whatever (We assume fantastic) reputation they had? Do they go to square 1 or are they borrowing/renting reputation from ESP2? If they are borrowing/renting reputation from ESP2, how do they know that ESP2 isn't using their domains good reputation to help other not so good senders at ESP2? Diluting the badness so to speak. I'm assuming this desire for 3rd party signing to have the same weight as 1st party signing is somehow related to deliverability and not abuse. I've never been a big fan of the reputation bandwagon. I view reputation as "What have you done to me today". We can all sing that tune but not do the dance in spike heels. >From my perspective, senders generally get the reputation they deserve. It >doesn't matter whether it is IP based or domain based. Mailbox providers are >not stupid. They can see the practices of senders as well as the response of >recipients. Many mailbox providers have better insight then the emitters of >mail streams. Just a few random thoughts on a Friday afternoon. Mike _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
