On 5/27/10 7:53 AM, Jeff Macdonald wrote:
So I understand your line of reasoning. But today, I believe ADSP can
provide a benefit. Brett has data that supports that. It may have a
limited lifetime. But I don't think this will be the only RFC that has
a limited lifetime in the transition to an authenticated email
universe.
Stating the obvious, in an Authenticated world, services that were
designed in a non-Authenticated world will break authentication. A
complex authentication protocol might be designed to work with
services that don't support authentication, but I think that is a
futile attempt.
Disagree. The number of exceptions needed are few. A single
transaction can mitigate issues related to third-party services that
don't exchange DKIM keys. Such a scheme offers comprehensive
protections without a long wait for something far less practical.
Since DKIM and ADSP directly benefits senders by ensuring their messages
are not obscured, it seems only right that senders, rather than
recipients, carry the larger burden. For most financial organizations,
this burden will be slight.
It makes sense to me to go to each of these services,
see if there is a consensus in the value proposition of authenticated
email, and help modify those services to work in an Authenticated
world. I'd also advocate not changing the authentication part to make
it work with a service. That just adds complexity.
Authorization is separate mechanism from DKIM's authentication a
domain. The authentication methods will not change. However, ADSP
polices should be able encompass third-party authorization for services
that don't exchange DKIM private keys needed to produce Author-Domain
signatures. Authorization is far simpler than coordinated and complex
exchanges of private keys or indirect and moving publications of public
keys among two or more administrative entities. Yuck.
An authorization can be made unilaterally without complex coordination.
An authorization can remain static, even when keys roll over.
To better answer Steve's criticisms on phishing, our company among
others, offers browser plugins for web mail and popular email
applications that annotate messages using corporate icons. Users can
afford themselves similar protections by sorting email based upon the
From email address and the DKIM/ADSP results. It seems reasonable to
expect these functions will become easier to employ. They are not that
hard now.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html