On May 26, 2010, at 12:45 PM, Barry Leiba wrote:
<<Chair Interrupt>>
I want to shut off one aspect of this discussion, because it's wasting
time, making us go around in circles, and causing a lot of
misunderstanding.
The aspect that I'm shutting off is any variation on the idea that
because phishing succeeds despite any blocks on a particular domain
name (using look-alikes and other funny domain-name tricks),
protecting a domain name (for whatever value of "protecting" we want
to talk about) does not affect the ability to phish, and therefore is
not useful.
This working group has consensus that it IS useful to "protect" a
domain name. That consensus is well established, and has been much
discussed. Further discussion of that question is out of scope.
Let's please stop wasting time and effort on it.
We all agree that making it harder for someone to send mail with
"something(_at_)paypal(_dot_)com" in the "from" line does not stop phishing
attacks that fool recipients into thinking that the mail comes from
PayPal. Nevertheless, we have rough consensus that it is useful to
make it harder for senders who are not PayPal to send mail with
"something(_at_)paypal(_dot_)com" in the "from" line.
There's apparently a lot of disagreement, even within the active
participants of this mailing list, as to what ADSP does do.
As one specific example I do not believe there is consensus on
what threat ADSP is intended to thwart, and without that I don't
believe that it's possible to discuss how to deploy it or how to
modify it.
As an example - there is a suggestion that ADSP be weakened
such that it allows for unsigned mail sent through a mailing
list. It's not possible to judge whether that will terminally
weaken the protections offered by ADSP without knowing what
the threat it's intended to defend against is.
If the sole benefit to ADSP is to "protect the domain name
as used in the non-displayed part of the From: field" then
weakening it to allow unsigned mail through mailing lists
in the way suggested would break ADSP completely. OTOH,
if the real goal is to help with phishing attacks against domains
that are used solely to send B2C junk mail then there's a
fairly strong argument that mailing lists aren't a likely conduit
for phishing attacks against B2C bulk mailer targets.
If the chairs assert there is a consensus on what that threat
is, I'd appreciate it if they can state that with a couple of
concrete examples.
If there is not consensus on that, then I don't see how the
conversation about fixing the obviously broken bits of ADSP
or working on good deployment practices can usefully continue.
Cheers,
Steve
-----
I'll also add that the chairs have the job of declaring consensus, of
declaring an issue resolved, and of declaring discussion closed. I
ask that people avoid being dismissive in their responses, but I also
remind others that a dismissive response from a participant does not
enjoin anyone from continuing discussion.
Carry on.
-- Barry, as chair.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html