----- Original Message ----- From: "Douglas Otis" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Re: [ietf-dkim] SSP security relies upon the visual domain appearance
>> On Tue, 2005-11-22 at 22:56 -0600, Arvel Hathcock wrote: >> Doug, I'm not convinced there is such a thing as an "email-address >> owner" to which you often refer. I don't think I know any >> "email-address owners". I know plenty of "domain owners" >> though. ..... > By email-address owner I was attempting to draw a distinction between > the domain owner running the email server from the domain owner > establishing email-addresses. The email-address owner often employs the > services of the domain owner running the email server. For DKIM, this > distinction could be seen by a different domain signing the message from > the domain of the email-address. It could be said each own their > domain. Perhaps I should keep saying email-address domain owner. The user does not own the email address domain and the email address domain owner has full rights over its usage. Always has and always will. The only reason the so call "freedom" exist is simply because there was no controls in place before, hence the major exploitation and abuse of the domains. You are trying to remove all rights to control the domain owner's property and you really haven't consider the idea the email service may not want to get involved in allowing blatant fraudulent usage of restricted domains. You are making an incorrect assumption that services will want this FREEDOM without any sort of verification. Even then, DKIM/SSP allows for 3rd party signing, if this what the email service wants to offer. I took a quick survey of my customers a few weeks ago and BY FAR, all of them wanted control of the usage of their domains by their users. They want the flexibility on a security group profile (domain) basis. Some want to allow the freedom for some domains, for other domains they do not. Not every ISP service is a PUBLIC service bureau Doug. A good example, off hand, is ISP for car dealerships, each with a domain reflecting the car dealership. They don't want spam just like the next guy and they don't want these "high-value" domains exploited externally. Your solution KEEPS the doors open to status quo exploits across the board. Your solution would prevent the controls of restrictive domains across the board. The core signature is NOT enough, with or without OPID. A SSP is essential to obtain optimal benefits. Just consider even if you had a OPID concept. You would still need a deterministic control to validate its usage. What if its was wrong? What if it doesn't make sense? What if it isn't OPID ready? Which policy do you honor? Which do you not honor? Are you still going to pass the BAD transactions to the user? At what point does it become automatic rejection or acceptance? It really doesn't matter what idea you have. You gotta have some level of logic to make this hard rules. You MUST have some level of dissemination to separate the good from the bad, to eliminate the obvious. You must have technical protocol consistency. -- Hector Santos, Santronics Software, Inc. http://www.santronics.com _______________________________________________ ietf-dkim mailing list http://dkim.org