Re: [ietf-dkim] A more fundamental SSP axiom

[Douglas Otis <dotis@mail-abuse.org>]

On Aug 3, 2006, at 12:45 PM, John L wrote:

>>> "I sign all mail" ...
>>
>> As I've said before, there are really two different subclasses of  
>> this one. You can have your mail very well under control, but you  
>> don't have control over what the damage might be in transit. For  
>> some people like banks and phishing targets, that collateral  
>> damage is likely to be acceptable. For most everybody else it's not.
>>
>> So I guess it just intrinsically bugs me that the former is a  
>> pretty rarified class  of sender, and is SSP really _only_ for  
>> them? (leaving I send no mail aside).  Is there little or no value  
>> in knowing that you sign everything, but transit related damage is  
>> possible?
>
> We have to keep in mind that the recipient is interpreting this  
> stuff, and it's up to the recipient to decide what risk they are  
> willing to accept. Transit damage is always possible, so I don't  
> see any value in pointing that out.  As a receiver, I find a hint  
> that unsigned mail from you is probably bogus to be useful.  Your  
> own opinion of the value of that mail is not.

A method to indicate whether other services might be employed that do  
not retain the integrity of the signature and then do not sign or  
sign with a non-designated domain, or originate the message and then  
do not sign or sign using a non-designated domain would be helpful.   
Those with heavily phished domains may be willing to forego these  
related services that are producing such results.  A stipulation  
indicating such abstinence would be useful to the recipient.


> I also don't see "I sign everything" as limited to large  
> companies.  My lawyer is part of a small firm with their own mail  
> server on a leased line.  I expect they have enough sense to tell  
> people that if they want to send mail from home or on the road, use  
> the company's web mail.  They'd be a perfectly good candidate for  
> "I sign everything", and I don't think they're at all atypical.

When DKIM signing is offered by large ESPs, it would be in their  
interest to take the steps to securely authenticate and verify  
reception of the From address prior to use.  This extra effort would  
allow autonomous management of the email-address domain's  
relationship with that of this provider.  Those DKIM providers taking  
the extra step of confirming reception should attract more users and  
gain greater delivery acceptance.  This would also expand DKIM's  
coverage of From email-addresses at a faster rate.

The administrator for a law office could make a policy assertion that  
their "DKIM-SAFE" provider is a designated signing domain.  This  
would permit their staff to make use of this provider.  The law  
office would then be relieved from setting up outbound services or  
making complex arrangements.  A requirement that the From domain  
matches the signing domain could be supplanted by a policy statement  
that lists the "DKIM-SAFE" provider as a designated signing domain.

There would be no need to arrange zone delegations, or exchange  
selector and key information on a regular basis for this to work.  A  
designated signing domain that authenticates and confirms reception  
of the From email-address should be adequate.  This would be in lieu  
of separately establishing DKIM signing or the outbound provider  
selecting prearranged key/domain combinations to enforce From/signing  
domain alignment.

As far as reputation is concerned, there is safety in numbers.  DKIM  
done the right way should also reduce abusive traffic.  Unusual  
confirmation activity could warn that someone may be attempting to  
abuse their service.  Clean-up could be expunging the offending  
confirmed email-address and recommending a scrub to the user owning  
the account.

-Doug


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html