ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion

2010-05-28 15:01:52
On Fri, May 28, 2010 at 2:32 PM, John R. Levine <johnl(_at_)iecc(_dot_)com> 
wrote:
But I'd like to see if I understand the difference your are trying to
highlight between a manually maintained list and a self published
list. Manually, there is confidence in understanding the
ramifications. Self published (ADSP) there is no assurance in the
understanding of the ramifications. Therefore the data collected from
one method is not applicable to the other? The end result (discarding)
would somehow end up different?

The discarding would be the same, but the mail that got discarded would be
different.  In particular, from the point of view of my mail users, the
cost of losing a real notification from Paypal is low, since all the info
is on their web site, and the value of dropping an unsigned message is
high since it is (give or take Steve's numbers) likely to be a phish.

For random domain X that is not a phish target and sends mail that is not
notifications, the cost of losing a real message is high, since it was
probably a message with real content, and the value of dropping an
unsigned message is low, since it's most likely a real message that got
its signature broken somehow.

OK, there's a question right there worth fleshing out. Is ADSP's
primary benefit only for domains used to send notifications? Certainly
that's the source of my desire for the ability to utilize ADSP. So if
that's the only stated value, and it's clearly stated that this is all
that ADSP does, then I still like it. I still want it.

In past discussions there had been an expressed concern that the
number of domains/companies who send notifications and are phish
targets is very low, but I would counter that it is not low at all. My
employer has financial institutions of all sizes as clients, from the
very small to the very large, and I certainly do observe phishing
attempts of the smaller ones. For these situations, I want to be able
to utilize ADSP, even knowing that it is not compatible with
forwarding or mailing lists.

Regards,
Al Iverson

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>