ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] incremental vs. infrastructure adoption

2006-11-28 06:47:21
On Sat, 25 Nov 2006 04:52:11 -0000, Dave Crocker <dhc(_at_)dcrocker(_dot_)net> 
wrote:

Charles Lindsey wrote:
A whitelist is useful as soon as a single recipient (filter, user, whatever) can apply it.
Be careful there. We want people out there to welcome and accept these protocols when they start to be deployed. A huge spate of false positives and false negatives will rapidly cause it to come into disrepute and to wither. This is not a technical problem - it is a social problem, but we ignore it at our peril.

I do not see how your statements relate to the one of mine to which you appear to be responding.

Just that if a feature is deployed with an inadequate infrastructure to support it, it may make matters worse initially, and so bring the whole idea into disrepute.



Q. "I bank with Bank of America. I always used to get those "SAFE" logos. Now they have suddenly stopped". A. "I see from your headers that you are on holiday in the Netherlands Antilles. The ISP you are using there doesn't use whitelists for American Banks - just for the Bank of the Antilles and ABN/AMRO."

This, I think, is a very interesting example, conceptually.

The detail you supply, however, is confusing. Your sentence beginging "The ISP..." does not make sense to me.

I guess that you are presuming that all of the relevant email functions are under control of the local-access ISP and that, therefore, when traveling, I might get a different MUA?

You have connected your laptop to the system provided by the person you are staying with, the conference organizers, the hotel, or whatever. Or perhaps you are without your laptop and are a guest on someone else's system. And the system you are connected to just just not provide the particular set of whitelists you were used to back home.


Although true, there is no requirement that it be "standardized". Different existing lists have different access methods.
No implementor of the popular MUAs is going to invest effort in implementing this "SAFE" Logo if there are lots of different protocols which might be used.

Statements containing firm absolutes, when they involve human decision-making, tend to be problematic..... That such a situation is absurd and often does not work correctly is not the point. The point is that I believe it disproves your absolute.

My statement does not need to be absolute to reflect the likely consequence of trying to implement whitelists piecemeal.

You can't do it in the headers, because Bad Guys can write headers too.

Not when the headers are signed.  (eg, <http://goodmailsystems.com>.)
And there you gave a good answer (and it also brings the thread back on topic :-). OK, such schemes are possible. But the Bad Guy can still insert the "SAFE" header and sign it, so there is still work for the verifying agent to do by way of spotting such already present headers and acting accordingly. .

Typical discussions, about such indications of safety, distinguish between what is carried in the message, across the Internet, versus what is generated within the trusted Administrative Management Domain (ADMD) of the recipient.

If you are wanting that "SAFE" logo to appear on your MUA when a whitelisted email is received, then that information has to be communicated somehow from the site that checked the whitelist (which is usually in a diferent ADMD to yourself). That means it must be possible to communicate it by SMTP (you cannot assume that everybody uses POP3 or IMAP to access their mail, and even there it would need upgrades to those protocols).

The only place in SMTP to hide it is in the headers of the message. So those would have to be signed, which means verifying capability in the MUA, together with means to spot alleged signings by the Bad Guy. This is all, in principle, doable (that is how the 'Padlocks' on web browsers work), but it will not be a simple system to set up and deploy.

--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131     Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>