ietf-dkim
[Top] [All Lists]

RE: [ietf-dkim] How to reconcile passive vs active?

2006-08-07 09:50:57
 

[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Michael Thomas

Even then,  the main issue are the potential damages that 
are being ignored.
My wife said it best when asked why even the BIG companies like 
WALMART, YAHOO, CISCO,  AOL.COM,  BIGBANK should also 
support strong policies:
 

I can say with little hesitation that Cisco will never 
publish the "strong"
policy as envisioned by Mark for our user population. I'd be 
interested to hear from Mark whether Yahoo-inc ever would for 
their corporate users.

This is an irrational concern. Cisco is not a typical email user, it is not 
currently a target of the type of attack that would make one want to publish 
strong policy.

A more rational concern would be that you think you will be required to deploy 
strong policy and that it will have bad effects.


I don't see this being the case. Five years ago there were people who wrote 
mail filters that were insensitive to false positives. That is not a problem 
today.

The reason that I expect people to implement reporting, fix the mailing lists 
and all the other infrastructure that will eventually make even Cisco want to 
publish strong policy is that doing so will help reduce administration costs 
and false positives.


I would much rather put up a response server to provide feedback than have 
people contact me to tell them I am blocking good mail. 

I would much rather authenticate my mail than have it mistaken for spam.


There are four possibilities for a legit mail sent with authentication.

1) Signature Validates:
2) Signature fails to validate because the originator screwed up
3) Signature fails to validate because the sender screwed up
4) Signature fails to validate because of an intermediary acting for the 
recipient (mailing list, forwarder, etc.).


The first case is success, the second and third cases are self healling. 

Its only the fourth case that leads to an issue and it is easy for Cisco to 
fix. They simply issue a separate email address for receiving mail from mailing 
lists. Many of them seem to do this already. I note that Michael is one of them.


Worst case is that everyone has to resubscribe to mailing lists that are 
habitual manglers of signatures in a way that is incompatible with people's 
mail service using a different address that works.

It is not even necessary to have a different domain.

mthomas(_at_)cisco(_dot_)com could become 
ietfdkim(_dot_)mthomas(_at_)cisco(_dot_)com

You can even add in a MAC valudation code:  
mlc(_dot_)esae378hwdfe(_dot_)883uhe3hh2j(_at_)cisco(_dot_)com


Put a command in the client that automatically performs the mailing list 
subscription in the manner I suggested.

This problem is fixable, strong policy is entirely practical.

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>