On 7/28/11 2:03 PM, Mark Delany wrote: >>> DKIM should be viewed as a Work-In-Progress still missing a viable >>> policy layer. >> +1. But 5+ years WIP? :) It wasn't rocket science. > Well, 7+ years ago it was suggested that "Domain policy is nascent" > with the stated expectation that MARID would soon develop something > comprehensive to satisfy our needs... > > Apropos rocket science, at our current rate of progress we risk > outliving the Space Shuttle program. MARID offered unsafe chained record sets as an IP address authorization scheme unrelated to what people were observing. Where IPv6 increases the aggregate list and where DSNSEC increases the amplification, risks to otherwise uninvolved sites increase with this scheme. Vetting messages prior to acceptance likely plays a greater role in lessening MTA burdens anyway.
Open-ended third-party relationships from a policy perspective may seem difficult to express, but it remains possible, whether by the domain or as a service, to acknowledge these relationships. An authenticated domain can be authorized by a published hash label. This would be a safe method to extend policy without requisite two party coordination as currently expected by DKIM. DKIM can be more than just making an assertion "this domain is too big to block." With comprehensive policy, DKIM should be able to prevent spoofing of a domain that may cause recipients to give up on the service. Until policy can be comprehensively applied, other authentication related benefits will likely remain elusive. Of course, such a goal must include proper input validation by DKIM. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html