On Oct 13, 2009, at 4:30 AM, Ian Eiloart wrote:
--On 13 October 2009 00:01:05 -0700 Dave CROCKER
<dhc(_at_)dcrocker(_dot_)net>
wrote:
Steve Atkins wrote:
The "brand" cannot be protected solely via ADSP, at all, not in any
manner.
By that I mean that it's possible to protect the byte sequence
paypal.com to some limited degree, but that that is operationally
meaningless without any way to distinguish between "paypal.com" and
"paypa1.com", or between "citibank.com" and "citibankonline.com",
If anything, Steve is being generous, because it's actually muss
worse
than that...
I understand the issue here, but part of the point of DKIM/ADSP is
to allow
automated systems to assign reputation to an email domain or email
address
- a byte string. Those automated systems will be able to distinguish
between paypal.com (likely with high positive reputation) from paypa1.com
(likely to acquire a very high negative reputation quite quickly.
So, sure, if the paypa1.com email is delivered, the recipient isn't
protected. Except, perhaps if the MUA fails to mark the email as
from a
trusted source - a bit like the way browsers are beginning to
identify web
sites with Extended Validation certificates.
Furthermore, such systems could be designed to look for close
mismatches,
using Hamming distance functions, for example. My bet is that paypal
don't
own any domains with a Hamming distance of one from paypal.com,
(Just as an aside, you'd lose that bet. Ebay buy an awful lot of
domains,
with no intention of ever using them. One of those is...
paypa1.com. :) )
though they
may well own domains with a Hamming distance of three - like
paypal.org
All of this is something that could be done with DKIM assured
identities.
None of this requires ADSP. If anything, your observation is an argument
against needing ADSP as ADSP is *solely* about the sender of email
making
assertions about themselves, while you're talking about receivers of
email
making decisions based on previous behaviour.
It might be nice if paypal could publish in the DNS a set of related
domains, that it is willing to share the reputation of paypay.com
with.
Positive reputation could flow from paypal.com to the shared
domains, and
negative reputation in the reverse direction.
Paypal is a good example for when that's not needed. They send all
their legitimate email as paypal.com. Even if they do own paypa1.com,
they're not going to send you mail claiming to be paypa1.com.
(And for those cases where it would be useful the DKIM answer is
"just sign all your mail with the same d= tag, and it'll share
reputation".)
Cheers,
Steve
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html