On November 5, 2005 at 08:20, Douglas Otis wrote:
> The opaque-identifier provides a means to automate compromised systems
> out of existence by reducing tracking efforts by an order of magnitude.
> The opaque-identifier would not expose people's identity as SSP does.
> The opaque-identifier would
In my view, the
charter should reflect what is being protected.
We have had apparent, rough consensus on the draft charter text for some
time. As interesting as the latest round of discussion is, it has not
seemed to garner much support.
However, the best way to gauge this probably i
On Nov 5, 2005, at 2:32 PM, Hector Santos wrote:
In my view, DKIM is essentially protecting the email message
transport
system.
But its not. It is protecting the domain. I can test everything
about DKIM
outside a transport system. I don't need SMTP to work it. It has
nothing to
do wit
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
To: "Hector Santos" <[EMAIL PROTECTED]>
> In my view, DKIM is essentially protecting the email message transport
> system.
But its not. It is protecting the domain. I can test everything about DKIM
outside a transport system
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
> In my view, the charter should reflect what is being
> protected. Is it the transport or an email-address?
Neither Doug.
It is the domain being protected. The DK in DKIM is "Domain Key"
The OA ema
On Nov 5, 2005, at 8:35 AM, Dave Crocker wrote:
Where is this exchange going and how does it help the working group
get chartered?
When used to protect the email message transport system, DKIM can be
very beneficial at thwarting address hijacking when combined with DoS
protection, and a
Douglas Otis wrote:
On Sat, 2005-11-05 at 05:04 -0500, Hector Santos wrote:
You and Hector have had a 2-day exchange, with almost no posts from anyone
else on the thread.
Where is this exchange going and how does it help the working group get
chartered?
d/
--
Dave Crocker
Brandenburg
On Sat, 2005-11-05 at 05:04 -0500, Hector Santos wrote:
> Where do you get the "expose expressed desire" that a domain will even want
> you to sign its messages in the first place? Does the domain have choice in
> the matter?
In my view, DKIM is essentially protecting the email message transport
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
To: "Hector Santos" <[EMAIL PROTECTED]>
> On Sat, 2005-11-05 at 00:38 -0500, Hector Santos wrote:
>
> > And how do to a VERIFIER or SIGNER get this "exposed expressed desire?"
How
> > does the VERIFIER and and possibly RESIGNE
On Sat, 2005-11-05 at 00:38 -0500, Hector Santos wrote:
> And how do to a VERIFIER or SIGNER get this "exposed expressed desire?" How
> does the VERIFIER and and possibly RESIGNER get this information?
The opportunistic scheme is rather simple, so I try fewer words.
As the MDA sees broad-bindin
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
>> In other words, to minimize RISK for SDP, you are requiring all
>> DOMAINS to subscribe the the DNA service or some SDP repository.
>
> You keep bringing up DNA, but I can not see why.
Didn't you said that signature policy
On Nov 4, 2005, at 2:10 PM, Hector Santos wrote:
The criteria would be limited to that within the signing-
domain.
Ok, ok, I think I am understanding now. :-)
So now, the signing domain now has a "SDP " (Signer-Domain Policy),
that he
defines and controls and can use to regulate the free-
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
To: "Hector Santos" <[EMAIL PROTECTED]>
> On Nov 4, 2005, at 12:13 PM, Hector Santos wrote:
>
>> So what you are saying that is it OK to spoof the From Header as
>> long as the SENDER is authorized via CSA/DNA?
>
> Not at all.
On Nov 4, 2005, at 12:13 PM, Hector Santos wrote:
You seem to be ignoring the new requirements inflicted by SSP where
the From header must be altered in thousands of applications to
introduce two addresses instead of the normal one.
So what you are saying that is it OK to spoof the From Hea
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
To: "Hector Santos" <[EMAIL PROTECTED]>
> You seem to be ignoring the new requirements inflicted by SSP where
> the From header must be altered in thousands of applications to
> introduce two addresses instead of the normal one
On Nov 4, 2005, at 10:01 AM, Hector Santos wrote:
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
To: "Hector Santos" <[EMAIL PROTECTED]>
The limitations of specifying the relationships between signing-
domains and email-address make SSP impractical. Once SSP is
attemp
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
To: "Hector Santos" <[EMAIL PROTECTED]>
> The limitations of specifying the relationships between signing-
> domains and email-address make SSP impractical. Once SSP is
> attempted however, one can expect that compliance will
On Fri, 2005-11-04 at 06:07 -0800, Douglas Otis wrote:
Sorry,
A url correction:
See:
9. Binding Identifiers
http://www.sonic.net/~dougotis/id/draft-otis-mass-reputation-03.html#anchor9
-Doug
___
ietf-dkim mailing list
http://dkim.org
On Fri, 2005-11-04 at 10:20 +, Stephen Farrell wrote:
> Doug,
>
> Douglas Otis wrote:
> > Once DKIM considers how to handle cases where the signing-domain and
> > email-address domains are frequently different, then opportunistic
> > techniques like those found in SSH look better than some
Doug,
Douglas Otis wrote:
Once DKIM considers how to handle cases where the signing-domain and
email-address domains are frequently different, then opportunistic
techniques like those found in SSH look better than some complex array
of DNS records. In the odd case where a domain is being
CSV has nothing to do with DKIM.
SSP is part of the DKIM effort.
Therefore CSV has nothing to do with SSP.
Any attempt to link CSV with DKIM or SSP goes far beyond the scope of the
current DKIM effort.
Therefore, discussion of it serves only to confuse the hell out of things.
d/
--
Dave C
On Nov 2, 2005, at 8:40 PM, Hector Santos wrote:
You mentioned CSV can return DKIM information. Cool. That means if the
PAYLOAD is not signed, then I can reject it. Then I would black
list the
CSV machine for blasting it over and over.
But of course, I like efficiency, so I will delay the
t; <[EMAIL PROTECTED]>
To: "Hector Santos" <[EMAIL PROTECTED]>
Cc: "Scott Kitterman" <[EMAIL PROTECTED]>;
Sent: Wednesday, November 02, 2005 9:01 PM
Subject: Re: [ietf-dkim] SSP acceptance chart
>
> On Nov 2, 2005, at 4:14 PM, Hector Santos wrote:
>
On Nov 2, 2005, at 4:14 PM, Hector Santos wrote:
This is indeed a common refrain. Until MUAs are modified, DKIM
offers no such protection however.
You are limiting your scope to offline world. What about the online
world?
The majority of users see only the pretty-name and are enticed b
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
To: "Hector Santos" <[EMAIL PROTECTED]>
> This is indeed a common refrain. Until MUAs are modified, DKIM
> offers no such protection however.
You are limiting your scope to offline world. What about the online world?
>
On Nov 2, 2005, at 11:50 AM, Hector Santos wrote:
I doubt that an email service, who values customer service and PR
as much as the next service, will not disclose a TOS or inform
users the change in policies.
Terms of service are irrelevant. Who is held accountable with
respect to reput
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
> This system needs to be fair and effective when applied within an
> environment occupied by a massive number of compromised systems.
> This is once again attempting to devise a scheme where the consumer
> of email services m
Doug,
I don't imagine we are ever going to agree on this.
I really don't understand your view of the world and I am pretty well
convinced I never will.
I do not think that adding another level of unpredictable heuristics to spam
filtering and calling it reputation is a particularly good thin
On Nov 2, 2005, at 10:32 AM, Scott Kitterman wrote:
On 11/02/2005 13:19, Douglas Otis wrote:
...
...of no signature? This seems to force the use of SSP and
completely ignore the reputation of the signing-domain, does
it not?
That's a feature, not a bug.
Twisting arms? Shifting accountabi
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
To: "Hector Santos" <[EMAIL PROTECTED]>
Cc:
Sent: Wednesday, November 02, 2005 1:19 PM
Subject: Re: [ietf-dkim] SSP acceptance chart
> It is interesting that an invalid signature
On 11/02/2005 13:19, Douglas Otis wrote:
...
> ...of no signature? This seems force the use of SSP and completely
> ignore the reputation of the signing-domain, does it not?
>
That's a feature, not a bug.
Scott K
___
ietf-dkim mailing list
http://dkim.o
On Nov 2, 2005, at 9:47 AM, Hector Santos wrote:
Table 1.0 - DKIM Verification States illustrates all possible
outcomes for signature verification against SSP.
+--+
|Sender Signing Policy Result
32 matches
Mail list logo