IETF Logo Mail Archive

Re: [ietf-dkim] A more fundamental SSP axiom

Michael Thomas <mike@mtcc.com> Fri, 04 August 2006 15:06 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G91Fb-0000LZ-9v for ietf-dkim-archive@lists.ietf.org; Fri, 04 Aug 2006 11:06:11 -0400
Received: from sb7.songbird.com ([208.184.79.137]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G91FZ-0004Wt-RH for ietf-dkim-archive@lists.ietf.org; Fri, 04 Aug 2006 11:06:11 -0400
Received: from sb7.songbird.com (sb7.songbird.com [127.0.0.1]) by sb7.songbird.com (8.12.11.20060308/8.12.11) with ESMTP id k74F5NRV000396; Fri, 4 Aug 2006 08:05:23 -0700
Received: from fasolt.mtcc.com (adsl-216-102-208-10.dsl.snfc21.pacbell.net [216.102.208.10]) by sb7.songbird.com (8.12.11.20060308/8.12.11) with ESMTP id k74F5EAw000358 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-dkim@mipassoc.org>; Fri, 4 Aug 2006 08:05:15 -0700
DKIM-Signature: v=0.4; a=rsa-sha256; q=dns/txt; l=2210; t=1154703881; x=11 55567881; c=relaxed/simple; s=dicks.drop.kirkwood; h=Content-Type:From:Subj ect:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z= From:=20Michael=20Thomas=20<mike@mtcc.com>|Subject:=20Re=3A=20[ietf-dkim]=2 0A=20more=20fundamental=20SSP=20axiom|Sender:=20|To:=20John=20L=20<johnl@ie cc.com>|Cc:=20DKIM=20List=20<ietf-dkim@mipassoc.org>|Content-Transfer-Encod ing:=207bit|MIME-Version:=201.0|Content-Type:=20text/plain=3B=20charset=3DI SO-8859-1=3B=20format=3Dflowe d; bh=icqLfA07I/dyI9GSAK9d0DhfnJ8ho3s26lHhazgt4Qg=; b=SeNsWJ5Z3Y7rNSm9U0u2/6P19HsdTk+P9G/vIl6iBGjnjULWQ0clg2bvye4Uvryvzi2Z5CIl im3cpSy5iK8NUR+GC2GLfkDtbxomlxZ36ju+ig++Ud8whhhalgiCcQV/;
DKIM-Signature: a=rsa-sha1; q=dns; l=2210; t=1154703881; x=1155567881; c=r elaxed/simple; s=dicks.drop.kirkwood; h=Content-Type:From:Subject:Content-T ransfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:Michael= 20Thomas=20<mike@mtcc.com>|Subject:Re=3A=20[ietf-dkim]=20A=20more=20fundame ntal=20SSP=20axiom|Sender:|To:John=20L=20<johnl@iecc.com>|Cc:DKIM=20List=20 <ietf-dkim@mipassoc.org>|Content-Transfer-Encoding:7bit|MIME-Version:1.0|Co ntent-Type:text/plain=3B=20charset=3DISO-8859-1=3B=20format=3Dflowe d; X=v=3Dcisco.com=3B=20h=3DTHgzsy76Cqx29/einu/PnNiEwmM=3D; b=LtA89lgFj3ZbOoheIzUpT0anO6S6Pl7WohpmP4LFIGysDmUy8qgJQRKdwt/bJyY/qiX+/+zx YLGw4MHeZM4h6+l2C90UQ0P8vSZDbzl6SfuNlJLBXcBnqCXO+CpdCXL1;
Received: from [216.102.208.13] (sj-natpool-220.cisco.com [128.107.248.220]) (authenticated bits=0) by fasolt.mtcc.com (8.13.6/8.13.1) with ESMTP id k74F4eKP010956 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 4 Aug 2006 08:04:41 -0700
Message-ID: <44D36203.2060803@mtcc.com>
Date: Fri, 04 Aug 2006 08:04:35 -0700
From: Michael Thomas <mike@mtcc.com>
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; rv:1.7.3) Gecko/20040913 Thunderbird/0.8 Mnenhy/0.7.2.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: John L <johnl@iecc.com>
Subject: Re: [ietf-dkim] A more fundamental SSP axiom
References: <20060802002353.U59653@simone.iecc.com> <44D0E259.7040400@mtcc.com> <20060802165510.X1168@simone.iecc.com> <44D160BD.7080209@mtcc.com> <20060802223619.E86316@simone.iecc.com> <44D24A20.6050109@mtcc.com> <20060803153457.X33570@simone.iecc.com>
In-Reply-To: <20060803153457.X33570@simone.iecc.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Authentication-Results: fasolt.mtcc.com; header.From=mike@mtcc.com; dkim=pass ( sig from mtcc.com/dicks.drop.kirkwood verified; ); header.From=mike@mtcc.com; dkim=pass ( sig from mtcc.com/dicks.drop.kirkwood verified; );
X-XIPE-SCORES: dispose=pass; ACD=1.00; CLAM=0.00; COMPLY=0.00; URL=0.00; SA=0.00; HONEY=0.00;
X-Songbird: Clean, Clean
Cc: DKIM List <ietf-dkim@mipassoc.org>
X-BeenThere: ietf-dkim@mipassoc.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF DKIM Discussion List <ietf-dkim.mipassoc.org>
List-Unsubscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=unsubscribe>
List-Archive: <http://mipassoc.org/pipermail/ietf-dkim>
List-Post: <mailto:ietf-dkim@mipassoc.org>
List-Help: <mailto:ietf-dkim-request@mipassoc.org?subject=help>
List-Subscribe: <http://mipassoc.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@mipassoc.org?subject=subscribe>
Sender: ietf-dkim-bounces@mipassoc.org
Errors-To: ietf-dkim-bounces@mipassoc.org
X-SongbirdInformation: support@songbird.com for more information
X-Songbird-From: ietf-dkim-bounces@mipassoc.org
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 538aad3a3c4f01d8b6a6477ca4248793

John L wrote:

>>> "I sign all mail" ...
>>
>
>> As I've said before, there are really two different subclasses of 
>> this one.
>> You can have your mail very well under control, but you don't have
>> control over what the damage might be in transit. For some people
>> like banks and phishing targets, that collateral damage is likely to be
>> acceptable. For most everybody else it's not.
>>
>> So I guess it just intrinsically bugs me that the former is a pretty 
>> rarified
>> class  of sender, and is SSP really _only_ for them? (leaving I send
>> no mail aside).  Is there little or no value in knowing that you sign
>> everything, but transit related damage is possible?
>
>
> We have to keep in mind that the recipient is interpreting this stuff, 
> and it's up to the recipient to decide what risk they are willing to 
> accept. Transit damage is always possible, so I don't see any value in 
> pointing that out.  As a receiver, I find a hint that unsigned mail 
> from you is probably bogus to be useful.  Your own opinion of the 
> value of that mail is not.

I think my concern hinges on "probably". For a large domain like cisco 
"possibly"
would probably be closer to the truth meaning that it's certainly a good 
candidate
for higher scrutiny, but if your "probably" is good enough to reject, 
you'd defintely
have a high false positive rate -- from this mailing list if nothing else.

Part of the problem here is the past record of SPF with over-zealous 550 if
there's any hint of bogosity. We, for example, would be forced to take down
a "we sign everything" policy if that were to happen with DKIM -- even 
though
we'll be signing everything pretty soon. If there were a qualifier in 
the "I sign
everything policy" that specifically implies that sending a 550 based on 
a missing
DKIM signature alone is extremely bone-headed" then maybe we can both.
The current SSP has o=! t=y which could in a tortured way be construed to
have that semantic: "I sign everything, but hey I'm testing so take it 
for what
it's worth". If we have something more formalized, them maybe we can
accommodate these two pretty different scenarios.

       Mike
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

v2.23.0 | Report a Bug | By Email