On Monday 12 October 2009 15:16:36 John Levine wrote:
Short summary: DKIM and ADSP offer no meaningful defense against spoofing.
Shorter summary: The WG charter says there should be
* A few domains are spoof targets, but the vast majority are not.
The scope of what targets there are is increasing because:
1. general service providers are putting out email payment requests for things
like phone and electricity. The motivation to spoof @payments.actewagl.com.au
that could be protected by ADSP would just be as successful as a spoof from
@actewagl.com.au which cannot because of its user base.
2. governments are getting increasing involved with emailing their citizens
and lucrative social engineering possibilities exist there.
3, governments departments would like to be sure that email from other
government departments isn't spoofed. The efforts to ensure trusted email
paths exist for all interconnections locally and globally is not possible.
For
that vast majority, even if they do try to sign their mail, the myriad
ways that legit mail can arrive with a broken signature makes it a
poor practice for recipients to do anything with a broken or missing
signature other than ignore it.
so lets get tpa going AND a ADSP amendment dkim=except-mlist going
so they can do something meaningful.
* At this point, the only significant spoof targets that sign all
their mail are Paypal and ebay.
Who notably haven't deployed ADSP despite their strong business case.
The way DKIM can be useful to deter phishing is by helping recipients
to recognize the small fraction of mail that is good, not the vast
flood of bad mail.
that looks very different that the WG charter wording.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html