Re: [ietf-dkim] A more fundamental SSP axiom

["Hector Santos" <hsantos@santronics.com>]

----- Original Message -----
From: "John L" <johnl@iecc.com>
To: "Michael Thomas" <mike@mtcc.com>
Cc: "DKIM List" <ietf-dkim@mipassoc.org>
Sent: Thursday, August 03, 2006 3:45 PM
Subject: Re: [ietf-dkim] A more fundamental SSP axiom


> We have to keep in mind that the recipient is interpreting this stuff, and
> it's up to the recipient to decide what risk they are willing to accept.
> Transit damage is always possible, so I don't see any value in pointing
> that out.

I know what you mean John, but that is exactly what a major part of the
problem is.

"Transit Damage" comes in many forms, and the end result is that it adds a
lower
confidence for the receiver and the recipient-user.

Who is the recipient-user going to blame first when his ISP continues to
pass junk his way?

The industry direction for ISVs is to add more direct logic in this equation
and limit pass on the responsibility or risk to the user.   This is also
being coupled with a higher pressure by policitians for the ISP to take on
more responsibility.  I haven't looked at a particular bill status since it
was introduced last year, but ISPs will be required to AVS and security
software installed or they could be fined and liable for mal-practice.  This
is not being a lawyer, but straight forward High Tech/Law/IP industry
information that any responsible CTO must be kept abreast of.

So IMV, you do have to take a look what "transmit damage" really means. I
can understand that adminstrators don't have control over this, but for the
mail mover software vendors, it does.  The goal is to get all software from
point a to z working together with a new standard to maek DKIM work.

> I also don't see "I sign everything" as limited to large companies.  My
> lawyer is part of a small firm with their own mail server on a leased
> line.  I expect they have enough sense to tell people that if they want to
> send mail from home or on the road, use the company's web mail.  They'd be
> a perfectly good candidate for "I sign everything", and I don't think
> they're at all atypical.

If you ask all your customers the simple question, "Do you want your domain
to be protected from any illegal or malicious representation or abuse?" I am
fairly confident you will get a resounding "Yes" as an answer across the
board.  Of course, followed up with "when do I get this update?"  <g>

John, I don't think anyone wants they domain, email address abused or
misrepresented. I know for my own personal experience, as a user of my own
products, that until it started to help to me, it was the final straw and I
began to do something I was philosophically and militantly against doing for
a long time - making decisions on what mail is good or bad.  So the ethical
compromise was to purely based decisions on technical SMTP compliance
considerations and not any subjected mail content intepretations. That we
pass on to our 3rd party AVS vendors.

That's the same design approach I am taking with DKIM-BASE and SSP/DSAP.
Trying to define all the administrator "use" cases will be nearly
impossible, but one thing that can be done is to define a mechanical
protocol with some enforcement protocols that the software are expected to
follow.  In my view, this isn't a hard problem. Complex? Probably expensive?
Requires coordination? Maybe, but not hard.  DKIM-BASE lays the ground work,
so now we need to see what it will take to make it work so that people will
begin to implement it.  Thats the problem to solve it.

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html