ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Is anyone using ADSP? - bit more data from the receiving side

2009-10-13 11:04:33
from [Steve Atkins] [Permanent Link] 

On Oct 13, 2009, at 4:30 AM, Ian Eiloart wrote:




--On 13 October 2009 00:01:05 -0700 Dave CROCKER 
<dhc(_at_)dcrocker(_dot_)net>  
wrote:




Steve Atkins wrote:

The "brand" cannot be protected solely via ADSP, at all, not in any
manner.

By that I mean that it's possible to protect the byte sequence
paypal.com to some limited degree, but that that is operationally
meaningless without any way to distinguish between "paypal.com" and
"paypa1.com", or between "citibank.com" and "citibankonline.com",



If anything, Steve is being generous, because it's actually muss  
worse
than  that...


I understand the issue here, but part of the point of DKIM/ADSP is  
to allow
automated systems to assign reputation to an email domain or email  
address
- a byte string. Those automated systems will be able to distinguish
between paypal.com (likely with high positive reputation) from paypa1.com
(likely to acquire a very high negative reputation quite quickly.

So, sure, if the paypa1.com email is delivered, the recipient isn't
protected. Except, perhaps if the MUA fails to mark the email as  
from a
trusted source - a bit like the way browsers are beginning to  
identify web
sites with Extended Validation certificates.

Furthermore, such systems could be designed to look for close  
mismatches,
using Hamming distance functions, for example. My bet is that paypal  
don't
own any domains with a Hamming distance of one from paypal.com,


(Just as an aside, you'd lose that bet. Ebay buy an awful lot of  
domains,
with no intention of ever using them. One of those is...  
paypa1.com. :) )


though they
may well own domains with a Hamming distance of three - like  
paypal.org


All of this is something that could be done with DKIM assured  
identities.

None of this requires ADSP. If anything, your observation is an argument
against needing ADSP as ADSP is *solely* about the sender of email  
making
assertions about themselves, while you're talking about receivers of  
email
making decisions based on previous behaviour.


It might be nice if paypal could publish in the DNS a set of related
domains, that it is willing to share the reputation of paypay.com  
with.
Positive reputation could flow from paypal.com to the shared  
domains, and
negative reputation in the reverse direction.


Paypal is a good example for when that's not needed. They send all
their legitimate email as paypal.com. Even if they do own paypa1.com,
they're not going to send you mail claiming to be paypa1.com.

(And for those cases where it would be useful the DKIM answer is
"just sign all your mail with the same d= tag, and it'll share  
reputation".)

Cheers,
   Steve

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Is anyone using ADSP? - bit more data from the receiving side, Michael Thomas
Next by Date:  Re: [ietf-dkim] Is anyone using ADSP? - bit more data from the receiving side, Murray S. Kucherawy
Previous by Thread:  Re: [ietf-dkim] Is anyone using ADSP? - bit more data from the receiving side, Ian Eiloart
Next by Thread:  Re: [ietf-dkim] Is anyone using ADSP? - bit more data from the receiving side, Dave CROCKER
Indexes:  [Date] [Thread] [Top] [All Lists]