On May 25, 2010, at 7:03 PM, Steve Atkins wrote:
On May 25, 2010, at 3:38 PM, Brett McDowell wrote:
On May 10, 2010, at 3:09 PM, Steve Atkins wrote:
On May 10, 2010, at 11:59 AM, John R. Levine wrote:
Apart from ADSP rules, a broken signature must be treated as if there was
no
signature at all. That in itself is not the problem. The problem with
broken
signatures is that people will not buy into a technology (DKIM) if it
will
not cover a significant part of their e-mail.
Of course. That's why MLMs should sign their mail, or equvalently the MSA
they use should sign it. Problem solved, right?
Free bonus: MLMs can sign the list mail even if the contributor didn't
sign it.
+1. It's pretty much a non-issue (unless you believe that DKIM is
magic fairy dust that will prevent all "fraudulent use of your brand").
I believe we can disagree without being disagreeable. I'm sure there is no
one on this list (or in the world) who thinks DKIM is magic fairy dust that
will prevent all fraudulent use of a brand.
If ADSP is not there to prevent "fraudulent use of your brand", what
is it for?
To protect users from a type of crime (phishing) perpetrated in a particular
channel (email). It's not about protecting our brand. It's about protecting
our customers.
While I don't think ADSP proponents actually believe it is magical brand
protection fairy dust, that is the operational model we're using when we're
discussing the usage of ADSP.
ADSP does not, and can not, provide significant operational value
in dealing with phishing,
Ummm... PayPal+Google+Yahoo have collectively blocked well over 100 million
phishing attacks using DKIM+ADSP=discardable (if you include the out-of-band
equivalent to ADSP=discardable that we had to put in place while we waited for
a standard, that we now fully support and deploy).
which is the only concrete example
anyone has brought forward. So we're left with "brand protection",
which is still plausible because it's so vague.
(If it were described as "Brand protection as applied to the section of
the byte sequence in the From: field that isn't the part usually displayed
to the end user" that would be less vague, but more obviously useless).
I would like to think we are all on this list making a good faith effort to
explore and debate the right way to deal with the status quo, including the
option of sustaining it. I personally don't agree with the position that
the status quo should be sustained, but I respect both that position and
those who articulate it.
Yes, this summary may be blunt and possibly even disagreeable, but
there comes a point when developing something that's going to affect
many, many people that you have to mention the elephant in the room -
which is that while lots of people involved have invested quite a bit of
effort
and professional credibility in putting it together there's still no
definition
of what problem it's supposed to solve, and the end result appears to
be pretty much useless for any concrete phishing or brand protection
scenario.
Problem = phishing
Utility = just one sender + two mailbox providers have blocked over 100 million
phishing attacks, many of those blocks also resulted in site take-downs.
The value of what we already have from your efforts in IETF is HUGE for
consumer protection. It could be even more useful with the kind of tweaks I've
suggested for MLM's... and probably a few more flags/states for ADSP.
-- Brett
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html