On Jan 19, 2006, at 8:44 PM, Eliot Lear wrote:
Most lists confirm the email-address by mailing back a link to
verify that the participant indeed receives email at that email-
address and wishes to subscribe to the list, a double op-in. Will
participants on a list need to have their own certificate? You
seem to be validating Phillip's concept of using trusted
certificates rather than DKIM's self issued public keys.
That's not really where I was going. What I more envision is that
a mailing list will have its own reputation that will match the LCD
of the list, just as you say, but that the way to protect against
that is for lists to be at least a little picky about who they
allow on.
Perhaps the list-servers can be quick to kick-off bad-actors, which
they are fairly good at doing, but what does being picky mean? The
bad actor would only need to send a message with a link, which is not
something that would appear to be spam until it appeared in
everyone's inbox. When you say the reputation of the list, this too
is rather problematic. When the list is "thin" there may not be any
DKIM signature added by the list-server. Why would they want the
grief so to speak? If the list-server is "thick", then why pass on
signatures that may have been damaged. From a safety premise, no
incoming signatures should be passed on as a best practice.
After all, we've said that dkim is just a part of the solution,
and we've indicated that reputation systems are important (albeit
out of scope for this group), so why not let them address this
problem as well?
There should be serious doubts about being able to keep up with a
potential replay problem. The dissemination of virus information is
already a major expense, which makes extrapolating the budget needed
for chasing "bad" signatures used in a replay both unpleasant, as
well as likely too slow to be effective. It would seem this is
expecting too much of a reputation service.
Sender beware. If it were to become common practice to overlay or
remove the DKIM signature upon delivery...
The ONLY time one removes a signature is when one breaks it.
The community already expects senders to be careful about where they
send their messages. If there is a common practice that all
receiving domains keep incoming signatures from being seen and
replaced by the MDA signature, the replay-abuse-list would not be to
onerous to maintain. That _could_ be a service that could be
disseminated without taxing network bandwidth.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org
