On October 26, 2005 at 19:11, Douglas Otis wrote:
There are vast numbers of messages legitimately sent by those not
identified in the From header. Should these messages all be rejected
or deleted?
The current SSP prohibition is exclusively based upon the email-
address found in the From header and is the _only_ means available to
repudiate messages from Bad Actors.
The impact of only allowing this the sole choice is significant and bad.
It may help if you can provide example scenarios illustrating
your points. For example:
* Examples of legitimate messages sent by those not identified
in the From header.
* Examples showing how SSPs From-centric approach is bad.
In general, giving examples provide a clearer understanding of the
problem and how the problem can be addressed, especially when
dealing with security issues.
Many discussions are in the abstract, causing at times little progress
being made on a particular topic since people's views of the topic
may not be in sync.
that. If BofA can convey to me that no one can use their domain in
2822.From unless authenticated, I'd love to oblige.
There should be draconian measures made with respect to specific
domains impacted by phishing when they are willing to endure the
limitations. A simple mechanism that indicates which domains require
such protections would be more immediately effective than the
mechanism currently envisioned for SSP.
Semi-related comment: I think many that advocate a particular solution
use email in a specific manner. I.e. The solution fits well with
how they use email, but it does not fit well with all the legitimate
uses of email. This perspective can blind them from seeing the
problems with the solution being advocated, problems that could even
effect them.
They could care less about the bits involved in
implementing DK, DKIM, SPF, Caller-ID, whatever. They care about the
consequential outcome and the levers they have to protect themselves.
At some point, this protection will include making the signing-domain
visible to the recipient. In the mean time, having DKIM widely
deployed with a large number of domains asserting that they sign all
of their mail, then far greater protections can be afford by DKIM.
Attempts to bind the assertion to the From address will result in
negative ramifications that will inhibit an otherwise greater number
of advantageous assertions and deployment of DKIM itself.
I think allowing binding to any OA header field provides better
flexibility as long as these semantics are made clear during
verification.
Frank alluded to the possibility that some header fields may need to
be handled a little different to make such a system beneficial.
All good. But phishing protection will form a poor basis for
establishing a ubiquitous DKIM signature on all emails. The current
SSP policy will not allow the typical ISP to sign their email
traffic.
Please provide an example. Such example may be useful for inclusion
to the threats document or some other document that highlights
barriers to adoption.
--ewh
_______________________________________________
ietf-dkim mailing list
http://dkim.org