RE: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC

["Keith Medcalf" <kmedcalf () dessus com>]

DKIM brought nothing of any value since it cannot be used to refuse messages or abort before entering the DATA phase of 
the SMTP conversation.  You are, no matter what, committing resources to receiving the message and accepting 
responsibility for its delivery.  All you can do is fart about AFTER THE FACT, after it is already too late to reject 
the message.

Presently 99.999999% of the SPAM that gets through to me is DKIM signed, yet it is still spam.  In fact, that DKIM 
signature provides absolutely nothing of value whatsoever, except to validate that the SPAM was unmolested between the 
sending MTA and me (which is unlikely anyway, and even more unlikely since the transport is almost always over a TLS 
channel which prevents tampering between the sending MTA and my MTA anyway).

Like I said, DKIM does nothing of value and is directed to solve a problem that does not, never has, and never will, 
exist in the real world.

Contrast this with SPF which does do something of value.  It enables the dropping of the session BEFORE the DATA phase 
if the envelope-from domain is not on the list of authorized MTA to be sending messages for that domain.  The only real 
problem with it is the allowance of prevarication in the data.

--
The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.


> -----Original Message-----
> From: Michael Thomas [mailto:mike () fresheez com] On Behalf Of Michael
> Thomas
> Sent: Monday, 8 July, 2019 19:24
> To: Valdis Klētnieks
> Cc: Keith Medcalf; nanog () nanog org
> Subject: Re: SHAKEN/STIR Robocall Summit - July 11 2019 at FCC
>
>
> On 7/8/19 6:11 PM, Valdis Klētnieks wrote:
> > On Mon, 08 Jul 2019 17:58:17 -0700, Michael Thomas said:
> > > On 7/8/19 5:54 PM, Keith Medcalf wrote:
> > > > This is because DKIM was a solution to a problem that did not
> exist.
> > > >
> > > ::eyeroll:: pray tell, how do you "always" know the identity of
> the MTA
> > > sending you a message?
> > It's more subtle than that - you always know the "identity" of the
> purported
> > MTA, because you know their IP address.  Whether "purported" is the
> same as
> > "legitimate" or "authorized" is a whole different kettle of
> fish....
> > Remember - port 25 is widely blocked precisely because there were
> always a
> > plenty supply of MTAs whose identity you knew, sending you spam
> from consumer
> > living rooms....
>
> Like I said, what DKIM brought is the ability to "blame me". knowing
> the
> IP address doesn't give you that in any useful way. Recall that trust
> is
> mainly a social construct, not a technical one. Bruce Schneier has
> written about that endlessly.
>
> Mike