On May 22, 2009, at 11:39 AM, J.D. Falk wrote:
love it when FUD is so easily overridden by operational reality.
Not all recipients will have use of the latest version of Sendmail.
The concern regarding the l= parameter is not limited to mailing
list, as John suggests.
Providers insert ads into the messages. Who is user be required to
trust, and how will they know who generated the link? It is not
uncommon to find providers, in pursuit of revenue, post ads
referencing websites that become compromised due to lax security and
end up containing IFRAMEs that load malware. It would not be good to
name names, but this is not uncommon. Once followed, the recipient's
system is compromised without any intervention or outward indication.
Often a user never knows their system was compromised. The number of
compromised systems and web servers is shockingly high. This is not
FUD, this is fact. Knowing the origination of EVERY link is
critically important.
By having the l= parameter available, senders wishing to retain trust
can differentiate their message from that of a recipient's provider.
The l= parameter can mitigate the bad practices of some providers, and
ensure the DKIM signature remains reliable and trustworthy. This
concern needs to be viewed from more than just an email provider's
perspective.
Why are providers bent on preventing recipients from knowing _who_ is
responsible for message content? While a recipient may trust their
financial institution, they may be less inclined to trust a provider
whose main revenue might be based upon ad revenue from who knows who.
Taking away the l= parameter significantly limits the protections DKIM
is able to offer. Once again, this concern is NOT about messages from
mailing lists! This is about ensuring recipients remain informed
about the origination of messages where they might be told that it
came from someone else. That is simply wrong!
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html