On Mon, Jan 12, 2009 at 1:51 PM, Franck Martin <franck(_at_)avonsys(_dot_)com>
wrote:
I'm curious when you say ADSP is always keyed of the real live From
address? You talk about the From: and not the Mail From: (Return-path)?
Yes, the A is for Author. ADSP is built on top of DKIM and allows domain
owners to specify that they sign some or all mail using a specific domain in
the From: address
as a side note, all this SSP/ADSP processing looks like a blackbox (or
black magic) to me. There is no recommended practices and no one explain
what they do to filter mail. like in the statement "AOL will use DKIM to do
build reputation based on domain", what does it mean?
It means they are going to start establishing reputation for DKIM domains
based on the DKIM signed mail passing through their systems. This isn't any
more of a black box than their existing reputation systems.
As for recommended practices I'm not sure there's enough operational
experience is most situations to have anything useful to recommend yet. I
would be pleased to be wrong here but suspect that we may be starting to get
there for some uses of DKIM and are a long way away from that with ADSP.
We know well about spamassassin, DNSBL, DCC but this is about it. I thought
security by obscurity was a bad idea? ;)
Not sure this qualifies for security by obscurity. It's pretty
straightforward how all these technologies work. How people make use of the
data these technologies provide, that only seems obscure because people are
still figuring it out themselves. Compare this to how people use IP
addresses there's a pretty wide variety there and a lot of those uses would
qualify as "obscured" from outside users too.
----- Original Message -----
From: "Michael Thomas" <mike(_at_)mtcc(_dot_)com>
To: "Anti-Spam Research Group - IRTF" <asrg(_at_)irtf(_dot_)org>
Cc: dcrocker(_at_)bbiw(_dot_)net
Sent: Tuesday, 13 January, 2009 8:24:24 AM (GMT+1200) Auto-Detected
Subject: Re: [Asrg] where the message originated
Franck Martin wrote:
I have run a series of tests, where I sign a message (sent by me) but
with only the Return-path containing my domain (DKIM does not sign the
return-path as recommended in the spec).
I used the DKIM reflectors on www.dkim.org
and the assessment I got was: neutral (none of the signed field contain
the domain of the signer).
like if it is wrong.
I think it should be a pass. I fear that many people that verify DKIM
make the same mistake.
Note that this not about DKIM but about SSP/ADSP and
Authentication-Results.
I believe that the SSP/ADSP result should be neutral, but that the DKIM
result is "pass". A lot of the reflectors haven't been updated for quite
a
while, and the earlier drafts of Auth-Res didn't make a distinction
between
DKIM and SSP/ADSP. So, true to form, differing implementations did
differing
things in the face of the ambiguity.
I'm thinking of adding an X-header that will contain my domain and sign
it via DKIM and see if the reflectors are happier.
I _think_ that my reflector does the right thing in that it separates out
the
dkim results from the ssp results, but I'm pretty sure that it's out of
date
wrt both the new auth-res draft and the adsp draft.
In either case, an X-header isn't going to change anything. The ADSP part
is
always keyed of of the real live From address.
Mike
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg