dkim-ops
[Top] [All Lists]

Re: [dkim-ops] subdomain vs. cousin domain (when deploying"discardable")

2010-09-10 08:56:56

On Sep 9, 2010, at 5:40 PM, Douglas Otis wrote:

 On 9/9/10 1:04 PM, McDowell, Brett wrote:
But, before we dismiss the problem you raised... .gov domains*are*  highly 
phished and they share this TLD problem with .edu.  That said, how many 
.gov-ers need to (or are allowed to) participate in public mail lists.

Ugh!  We simply have to fix the root cause of MLM's breaking DKIM signatures.
Disagree.  This would then mean MLM messages become visually similar to 
messages from individuals.

I didn't mean to suggest MLM's should stop doing the things they do that breaks 
DKIM signatures.  I'm actually a fan of the A-R header (or perhaps a new one) 
approach -- used in a clear (profiled?) way -- so MLM's can assert to receivers 
that they verified the senders signature before processing and re-signing it.


This type of change won't happen overnight, 
or perhaps even within the same decade.  Many lists don't authenticate 
the source of each message being distributed.  Until there is universal 
adoption of A-R header and DKIM, it remains beneficial for these 
messages to be visually different when issued by a mailing-list.  Some 
MUAs have extensions able to display various header fields, like 
List-ID.  It would be helpful if MUAs had a display option for this 
header field.

On the other hand, the TPA-Label concept is premised upon third-party 
sources being recognized by senders.  As the diversity of sources 
increase, identifying good rather than bad becomes a more productive 
strategy.  For this scheme to function, the sender will need to 
reference a third-party list that meets their requirements, or generate 
their own.

By placing the DKIM signature within a subdomain, the TPA-Label can also 
indicate to recipients how _any_ authorized message with From header 
fields containing an address from their domain is to be authenticated.  
This scheme should help email transition gracefully to stronger 
methods.  This scheme should also allow phished domains the ability to 
use a single domain for all of their email, including messages from 
unmodified mailing-lists, while also offering the strongest protection 
available from each source.

I reviewed the TPA-lable I-D awhile back but lost track of the URL.  Please 
resend and I'll take another look.  But as I recall it just seemed "too hard".


-Doug

_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops


_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops

<Prev in Thread] Current Thread [Next in Thread>