(oops, sorry, it was an issue Al raised, not John... in any event here's my
answer)
On Apr 29, 2010, at 1:23 PM, Al Iverson wrote:
On Thu, Apr 29, 2010 at 11:58 AM, McDowell, Brett
<bmcdowell(_at_)paypal(_dot_)com> wrote:
On Apr 28, 2010, at 2:11 PM, John R. Levine wrote:
Your proposal that MLM remove Signatures would cause restrictive
policies to fail.
Which is why I oppose this proposal.
As John Levine mentioned previously, your own posts to this list fail
authentication and end up in many of our spam folders because of
Paypal's SPF policy. I'm not against strong authentication policies --
but I'm wondering how you personally expect to be able to post to
mailing lists without acceptance of this proposal? The status quo
interferes with your ability currently, and broader adoption of
authentication on the receiving side will only make it worse.
It's a question of priority and timing.
Priority: it's more important to us that cyber criminals not be systemically
enabled to leverage MLM systems to bypass email authentication flows and
consumer protection policies designed to block their attacks... the attacks
that, if not for the MLM intermediary, would have been blocked thanks to
DKIM+ADSP and the voluntary compliance to ADSP policies by certain
ISP's/Mailbox Providers.
Timing: therefore, until the standards community enables MLM systems to
maintain (if they wish) the integrity of DKIM/ADSP-enabled message
authentication flows that exist today (and are on the rise) and would
successfully deliver authenticated mail if not for the intervention of the MLM
system, our consumer protection policy has this apparent consequence on PayPal
employees that participate in certain public mail lists -- the ones that break
or strip DKIM signatures -- that would lead us to have to perform workarounds
as the issues are discovered.
It's not ideal for me personally, but more importantly it's not ideal for any
sender trying to leverage these technologies to improve consumer protection.
That's why I'm here trying to advocate for a *solution* which Murray's proposal
just might be the basis for, but I humbly assert John's is not.
I'd characterize the X-Y-Z proposal from Murray as having some hope of solving
the problem without dismissing the current consumer protection values of
DKIM+ADSP, and John's proposal as something akin to giving up on ever seeing
authenticated mail survive MLM intermediaries.
-- Brett
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html