Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion

On Apr 30, 2010, at 11:05 AM, Michael Thomas wrote:

> On 04/30/2010 07:38 AM, McDowell, Brett wrote:
> > On Apr 30, 2010, at 10:23 AM, Michael Thomas wrote:
> >
> > > On 04/30/2010 07:05 AM, McDowell, Brett wrote:
> > But since mailbox providers already manage reputation at scale, how much of 
> > a burden is adding this bit to the mix?  Remember this only affects mailbox 
> > providers who have decided to do DKIM blocking based on ADSP discardable 
> > policies (for some, if not all senders).
> Let's put aside whether there's something new here for the moment (i've not 
> had my
> coffee yet...). By all rights, we should not be having this conversation 
> right now
> at all because you have set adsp discardable. So even if we adopted some 
> bcp-like
> advise for mlm and receivers, it would be years if not forever before we 
> could have
> a reliable conversation on this and other lists again. Maybe at paypal that's 
> an
> acceptable tradeoff (?), but at my previous employer, all standards work, for 
> one,
> would cease and there would be lots of engineers with pitchforks and torches.
>
> So what I'm getting at here is that I'm having a hard time understanding how 
> the
> bootstrap doesn't fail for most sending/receiving entities. As I'm sure you 
> know,
> false positives drive mail admins to complete distraction... which is the 
> situation
> it looks to me that you're willing setting up.
>
> That said, you (paypal) are far braver than I am, but if you can make this to 
> work
> somehow as a large enterprise that would be a pretty amazing accomplishment.
>
> Mike
Talking about the status quo is to talk about how every ISP/MBP (btw, is it 
common practice to refer to a "mailbox provider" as a MBP?) has decided to deal 
with "discardable" ADSP policies given they ALL KNOW that some common Internet 
practices break DKIM.  I'm not sure why that's a useful discussion to have in 
this forum.  I thought we wanted to talk about how to change the status quo so 
DKIM signatures aren't made irrelevant by common Internet mail practices like 
MLM's.

Just so everyone knows, even some of the ISP/MBP's working with us who are 
equally committed to curbing paypal.com phishing attacks by means of DKIM and 
ADSP, are sorting out how they want to handle the gray areas when they see 
evidence that the message was 'probably validate-able' when it started but 
something that is 'probably not criminal' happened along the way so I can no 
longer validate... so let me... make it up as I go and iterate until the 
standards evolve to remove/reduce this problem.

That in fact is why my emails *are* being delivered to at least one gmail.com 
user on this list.

So the status quo is ugly at best.  

Is there any will in this group (aside from my own) to evolve the standards to 
improve the status quo?

<soapbox>
Are the rest of you as concerned about the damage fraud messaging can have to a 
user's computer, identity, and all systems on the Internet accessible from that 
computer?  I know I don't have to say this, but... this isn't just about 
stopping annoying ads for viagra.  And it isn't just about financial 
institutions' monetary losses due to account takeover attacks enabled by 
phishing.  It's about the trustworthiness of the Internet and addressing the 
A#1 channel criminals use today to undermine the integrity of this amazing 
infrastructure all of us have enjoyed and many of *you* have created.
</soapbox>

-- Brett


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html