On 6/21/10 12:00 PM, John R. Levine wrote: > As threatened, here's an I-D that says how one would publish a list > of domains for which it makes sense to discard unsigned mail. > > Since I'm a big fan of running code, you can find such a list at > drop.services.net of domains that (in my opinion at least) sign all > their mail with DK or DKIM, and for whom it makes sense to drop > unsigned mail. John,
What motivates using two domains in a query, which still excludes the relationship between the author-domain and third-party service? The tpa-label scheme is informative of a specific relationship between author-domain and third-party service, thereby allowing responses for specific threats and requirements of the author domain. Why not allow a means for domains to indicate they don't use some social network, without making the third-party service unusable for any other domain? A vouching (reputation) service that protects against spoofing using the vbr structure will likely confront difficult to resolve administrative problems. Thresholds for blocking a domain will likely cause collateral losses for other domains not normally phished when other domains are being heavily phished. Because DKIM signatures can be replayed, including ancillary conditions, such as requiring an List-ID or Sender header, better isolates poorly vetted messages without users seeing different email domains used. Of course, these headers depend upon the relationship between the third-party service and the author-domain. The tpa-label scheme allows selective inclusion of other header requirements based upon the author-domain. This information allows recipients to depend upon these headers when sorting messages having different levels of vetting. If these specific relationships are not met, the message would be refused. IMHO, it would be less problematic to use the tpa-label mechanism to make this type of query. The tpa-label scheme has been improved by isolating the hash labels. Unlike vbr, the tpa-label has less of an impact on the usable domain name. Allowable maximums are not reduced by the size of vouching domain and _vouch label. With tpa-labels, a vouching service can handle a domain size up to 241 characters. When a domain provides their own vbr vouching service, the maximal domain size may be a maximum length of 122 characters. This smaller size may not work well for international domain names. The added reference size of vbr also displaces information bound by a DNS response limit, and results in more of cache being consumed as well, while still omitting information specific to the third-party service and the author domain. With tpa-labels, a signer can utilize a vouching service by delegating their _tpa zone, or by using DNAME at this node. Domains can also self publish their own exception criteria in a manner transparent to recipients. In addition, except for the indirection and extra transaction, there does not appear to be a significant difference between discard by reference and ADSP dkim=discardable? -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html