On Aug 25, 2006, at 2:48 PM, Jim Fenton wrote:
While we aren't defining reputation or accreditation services in
this working group, it has been widely suggested that such services
would use the d= domain on the signature as the "lookup key" for
retrieving reputation or accreditation information.
There is a fundamental difference, then, between key delegation and
delegation via SSP. In the former (key delegation) case, the party
applying the signature (delegatee) is merely acting as an agent of
the delegator to do the mechanics of signature application. It is
still the delegator's signature, and the "buck stops" with the
delegator in terms of who has taken responsibility for the
message. In the latter (SSP delegation) case, it is the
delegatee's domain that takes responsibility for the message. Some
have suggested the delegatee might want to use subdomains in order
to allow reputations to avoid aggregating reputations from
different delegators (or classes of delegators).
Some implications of this change in responsibility:
1. Responsible domains using SSP delegation will not be able to
change signing providers (delegatees) without forfeiting any
positive reputation they have accumulated. It should really be the
delegator's positive reputation, because they are the ones acting
responsibly in their mailing practices and/or the use of outside
mailing providers. It should not be necessary to start over if you
change ISPs or outbound marketing providers.
It MUST always be the provider offering outbound services, not the
provider receiving messages held accountable. The designators are
the receivers of email. Not the senders and signers. Reputation is
about watching for abuse when it is sent by your customer, even when
they are using their email-address of the day.
2. Delegators are more likely to be diligent in the choice of
delegatees when it is their own reputation at stake. When it is
the delegatee's reputation at stake, they can always employ an
unreliable party, or in the extreme a spammer, and when abuse is
reported simply say "oh, sorry" but not endure any impact on their
reputation at all.
Any provider should be able to disable an abusive account at any
moment. This problem is common and does not change with DKIM.
There is also the safety in numbers phenomenon and herd mentality.
ISP.com now has a zillion customers designating them as their signing
domain. A true sign of trust. An ISP that now requires that all
2822.From addresses be validated prior to use should also find their
abuse issues are reduced. There is an upside.
3. We are already aware of the potential for the use of throw-away
domain names by bad actors who otherwise might accrue a bad
reputation. This opens a new possibility: it isn't necessary to
get a new domain, just delegate signing to a new entity and "all is
forgiven".
Just gaining access to a new provider also works. This works 70% of
the time through a compromised system as well. Finding a way to
encourage the use of a rather simple mechanism that fends off
spoofing, irrespective of whether there is any designation being
used, seems like a win-win for the provider and their customers.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
